Closed Bug 1657430 Opened 4 years ago Closed 4 years ago

malvertisers exploit infinite pushState loop to freeze Firefox

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
79 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1314912

People

(Reporter: eliya, Unassigned)

Details

Attachments

(2 files)

browlock_poc_firefox.html
289 bytes, text/html
Details
browlock.png
187.64 KB, image/png
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Steps to reproduce:

Hi Team,

Over the last 1-2 weeks we have been chasing down a malvertising campaign that is running via native ads on high profile publishers.

Once victims land on the malicious landing page, they are presented with a tech support scam.

The landing page itself contains a "browlock" mechanism that will crash or significantly stall recent versions of most modern browsers including Chrome, FireFox, Opera, and Brave.

Attached is a screenshot of the malicious landing page for context, along with a distilled POC that produces the browlock.

We've found that this tactic produces a significant slow down of browser responsiveness within 5-30 seconds, often leading to a complete freeze that requires killing the browser process in order to unlock.

In conjunction with the infinite pushState loop, this attacker also hides the pointer in a nested pointerlock loop which effectively buys some time for the browlock to go into full effect.

Given the persistence and broad reach of these malvertisers, this browlock is likely impacting a pretty large swath of users.

Hopefully this can somehow be mitigated in a future release of Firefox.

Best,
Eliya Stein

Attached image browlock.png
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: