Closed Bug 1136692 Opened 7 years ago Closed 6 years ago
Reader Mode does not completely disable all active content (XSS)
STR 1) Open attached PoC 2) click on reader mode button 3) click on the black rectangle 4) XSS I think this *may* be a bug in ParserUtils or in how they are used, but I did not have the time to look into this properly. Will update if I make any additional findings.
Attachment #8569150 - Attachment description: one.html → PoC
I assume this is sec-low, firstly because it requires a click and secondly because 'about:reader' seems unprivileged. I hope I am right. I was thinking of taking an exploit further by trying to spoof messages or events. AboutReader.jsm does cross-domain XMLHttpRequests, but I'm not sure how far that would take me and if this is time well spent. If that was possible, I would suggest doing anonymous XMLHttpRequests in AboutReader.jsm, but that would kill readability for articles behind a log-in (intranet, paywall...).
(In reply to Frederik Braun [:freddyb] from comment #2) > I assume this is sec-low, firstly because it requires a click and secondly > because 'about:reader' seems unprivileged. I hope I am right. Yes, this was fixed in bug 778582.
Moving the discussion to the newly filed bug 1182778
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-4518
You need to log in before you can comment on or make changes to this bug.