Closed Bug 1457693 Opened 3 years ago Closed 2 years ago

Popup blocker bypass using nested html elements

Categories

(Firefox :: Security, defect, P3)

59 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1459264
Tracking Status
firefox59 --- affected
firefox60 --- affected
firefox61 --- affected

People

(Reporter: bugbot6, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, sec-low, testcase)

Attachments

(1 file)

Popup blocker bypass using nested HTML elements.
When nested html elements all have a `onclick()` event leading to an popup, the popup blocker does not see that all `onclick()` events came from one click.
This allows for multiple popups to appear on one click. 

To reproduce the bug create a simple html page with nested elements as described above. All `onclick()` events call the same javascript function, which calls for a popup. (See attachment for PoC)

The expected result would be to have one popup, as we did have one user interaction. As well as a message from the popup blocker as more popups are attempted to be made.

This bug was found on FireFox Version 59.0.2, which is the latest at the time of reporting.

Regards,
BugBot
I have reproduced this issue on the 3 main versions of Firefox (release - 59.0.3, beta - 60.0b16, nightly - 61.0a1) on a Windows10 x64.
Also, I couldn't reproduce the issue using Chrome.
Status: UNCONFIRMED → NEW
Component: Untriaged → General
Ever confirmed: true
Gah this one is really annoying, I'll mark this as security sensitive based on the fact that bug 1208950 (which does the same thing but through a different method) is also sec-sensitive.
Blocks: eviltraps
Group: firefox-core-security
Component: General → Security
Priority: -- → P3
See Also: → 1208950

This bug is fixed by bug 675574.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 675574
Assignee: nobody → amarchesini

Whoops

Assignee: amarchesini → nobody

This bug is still not fixed for Firefox 65.
Maybe this is due to the different nature of execution compared to bug 675574? (which indeed has been fixed)
I tested this to still work on

  • 65.0 (64-bit) (Ubuntu 18.04.1)
  • 65.0 (64-bit) (windows 10)

Could it be that this is not a duplicate?

Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

Hm, this is fixed in Nightly 66 but not in Beta 65 for me, baku, do you know what's going on here? Did we land some other improvements in 66?

Flags: needinfo?(amarchesini)

Bug 1459264 should fix this issue and that bug landed in 66.

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Duplicate of bug: 1459264
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.