Closed
Bug 1444752
Opened 6 years ago
Closed 6 years ago
DoS vulnerability with looped window.open() calls
Categories
(Firefox :: Untriaged, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 685828
People
(Reporter: ddwrtuuuu, Unassigned)
Details
Attachments
(1 file)
797 bytes,
application/java-archive
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160606114208 Steps to reproduce: 1. Download the attached zip file. (Firepwn-PoC-...Team.zip) 2. Unzip it. 3. Open exp.html (exp.js is the exploit code) 4. Wait 5-10 seconds. 5. Exploit runs. Actual results: This bug will crash and/or freeze Firefox. (tested on Firefox 47, probably works on newer versions) In Ubuntu, the Firefox window (for me) will darken and become unresponsive until force-quit. Expected results: The software should do something along these lines. Firefox, should have a counter, that resets every, 15-30 seconds or so. When window.open() is called, it is incremented. If it gets to large, window.open() calls are not even blocked by the pop-up blocker, they are simply should get blocked at the time they're called; to reduce the DoS's impact.
Alias: firepwn
Severity: normal → minor
Keywords: wsec-dos
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
Summary: There is a DoS vulnerability in window.open(); → DoS vulnerability with looped window.open() calls
Comment 1•6 years ago
|
||
Isn't this a dupe of bug 685828 which in turn is a dupe of bug 675574 ?
Flags: needinfo?(ddwrtuuuu)
Comment 2•6 years ago
|
||
Looping window.open with user interaction is a known issue tracked in bug 675574, but looping window.open without user interaction was tracked in bug 685828 until we duped it during eviltraps triage. I'm a bit confused about the state of "looping window.open crashes Firefox bugs", but this issue is certainly known, so duping forward to bug 685828. Note that with e10s this problem isn't as bad as it used to be. 47 is an ancient version, Nightly is hitting 61 this week. With e10s enabled, the only problem seems to be the messaging overhead and/or the fact that we need to update chrome UI in real time, which makes the slow content process have an effect on the parent, but not unbearable on my machine. Maybe we should just start ignoring the notifications in browser.js after some threshold. That's not really what this bug is concerned with, though. We should consider unduping bug 685828.
Updated•6 years ago
|
Alias: firepwn
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Attachment #8957949 -
Attachment mime type: application/zip → application/java-archive
You need to log in
before you can comment on or make changes to this bug.
Description
•