Reader Mode does not completely disable all active content (XSS)

RESOLVED DUPLICATE of bug 1182778

Status

()

defect
RESOLVED DUPLICATE of bug 1182778
4 years ago
3 years ago

People

(Reporter: freddyb, Unassigned)

Tracking

({sec-low, wsec-xss})

unspecified
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox38 affected)

Details

Attachments

(1 attachment)

Comment hidden (typo)
Reporter

Comment 1

4 years ago
STR
1) Open attached PoC
2) click on reader mode button
3) click on the black rectangle
4) XSS

I think this *may* be a bug in ParserUtils or in how they are used, but I did not have the time to look into this properly. Will update if I make any additional findings.
Reporter

Updated

4 years ago
Attachment #8569150 - Attachment description: one.html → PoC
Reporter

Comment 2

4 years ago
I assume this is sec-low, firstly because it requires a click and secondly because 'about:reader' seems unprivileged. I hope I am right.

I was thinking of taking an exploit further by trying to spoof messages or events. AboutReader.jsm does cross-domain XMLHttpRequests, but I'm not sure how far that would take me and if this is time well spent.
If that was possible, I would suggest doing anonymous XMLHttpRequests in AboutReader.jsm, but that would kill readability for articles behind a log-in (intranet, paywall...).
(In reply to Frederik Braun [:freddyb] from comment #2)
> I assume this is sec-low, firstly because it requires a click and secondly
> because 'about:reader' seems unprivileged. I hope I am right.

Yes, this was fixed in bug 778582.
Reporter

Comment 4

4 years ago
Moving the discussion to the newly filed bug 1182778
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-4518

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.