Closed
Bug 1136692
Opened 10 years ago
Closed 10 years ago
Reader Mode does not completely disable all active content (XSS)
Categories
(Toolkit :: Reader Mode, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1182778
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: freddy, Unassigned)
Details
(Keywords: sec-low, wsec-xss)
Attachments
(1 file)
|
2.06 KB,
text/html
|
Details |
| Comment hidden (typo) |
| Reporter | ||
Comment 1•10 years ago
|
||
STR
1) Open attached PoC
2) click on reader mode button
3) click on the black rectangle
4) XSS
I think this *may* be a bug in ParserUtils or in how they are used, but I did not have the time to look into this properly. Will update if I make any additional findings.
| Reporter | ||
Updated•10 years ago
|
Attachment #8569150 -
Attachment description: one.html → PoC
| Reporter | ||
Comment 2•10 years ago
|
||
I assume this is sec-low, firstly because it requires a click and secondly because 'about:reader' seems unprivileged. I hope I am right.
I was thinking of taking an exploit further by trying to spoof messages or events. AboutReader.jsm does cross-domain XMLHttpRequests, but I'm not sure how far that would take me and if this is time well spent.
If that was possible, I would suggest doing anonymous XMLHttpRequests in AboutReader.jsm, but that would kill readability for articles behind a log-in (intranet, paywall...).
Comment 3•10 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #2)
> I assume this is sec-low, firstly because it requires a click and secondly
> because 'about:reader' seems unprivileged. I hope I am right.
Yes, this was fixed in bug 778582.
Updated•10 years ago
|
status-firefox38:
--- → affected
| Reporter | ||
Comment 4•10 years ago
|
||
Moving the discussion to the newly filed bug 1182778
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.