Closed Bug 1689059 Opened 5 years ago Closed 5 years ago

Apparent execution of remotely hosted code by Traduzir Páginas Web a.k.a. Translate Web Pages

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Version:
Firefox 84
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: grahamperrin, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

https://addons.mozilla.org/es/firefox/addon/traduzir-paginas-web/ or https://addons.mozilla.org/addon/traduzir-paginas-web/

  1. Add the extension to a desktop version of Firefox
  2. https://www.s3blog.org/s3gt.html
  3. click the toolbar button for 'Translate this page'

Actual results:

  1. translation through (if I'm not mistaken) execution of remote code.

% grep -R translate.google.com .
./PRIVAVY:The only communication is with Google (translate.google.com and translate.googleapis.com) and Yandex (translate.yandex.net) server.
./scripts/contentScript_google.js: element_script2.src = "//translate.google.com/translate_a/element.js?cb=twp_googleTranslateElementInit"
./scripts/mobile.js: let url = "https://translate.google.com/translate_a/single?client=gtx&sl=auto"
%

– element_script2.src in particular.

Expected results:

  1. disallowance of remotely hosted code – bug 1594234 (for Firefox 86) and so on.

./scripts/contentScript_google.js is not used in the extension and all the code inside this file (including the remote script injection) is commented out
./scripts/mobile.js - here they are actually doing a request to server to get the translation, no remote script injection
element_script2 function is commented out

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

Thanks for the explanation, apologies for the misunderstanding.

You need to log in before you can comment on or make changes to this bug.