Closed Bug 1701684 (CVE-2021-29953) Opened 4 years ago Closed 4 years ago

Universal XSS with pop-up prompts

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox88 fixed, firefox89 fixed, firefox90 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox88 --- fixed
firefox89 --- fixed
firefox90 --- fixed

People

(Reporter: jwkbugzilla, Unassigned)

References

Details

(Keywords: csectype-sop, sec-critical)

Attachments

(1 file)

Proof of concept page
615 bytes, text/html
Details
Attached file Proof of concept page

Fenix allows pop-up prompts to stack when window.open() is called multiple times. This doesn’t seem to be properly considered in the code, on navigation only one such prompt is removed. So a page can produce two prompts and navigate elsewhere then, one prompt will remain. If the user happens to allow the pop-up, it will open with the new page as opener. If a javascript: URI is opened, the code will be able to gain full access to the “opener” page.

You can see the attached page do this: it produces two pop-up prompts, then redirects to Google. The prompt is a JavaScript URL with some trivial obfuscation – it appears to relate to google.com while the actual JavaScript code (alert(opener.location.href)) is URL-encoded. Accepting the prompt will then produce an alert message showing that it can indeed access the opening Google page.

This is particularly critical given bug 1701673 – a web page can produce a huge number of pop-up prompts, thus forcing the user to accept the pop-up in an attempt to unlock the UI.

Just a heads up that we're having some good discussions about how to approach this bug. Thinking about a patch and also to ask the GeckoView team to possibly harden the underlying code to avoid similar attacks.

It is possible that this fix for this bug will also close bug 1701970 and bug 1701673 - this needs a bit more time so we won't dupe or close those bugs yet.

Summary of our plan how to fix this:

In A-C/Fenix we need to make sure we never stack multiple prompts to directly address bug 1701970 and bug 1701673. This would also address the specific case here as a single prompt is already properly dismissed on navigation.

However, failing to automatically dismiss a prompt should still not open us up to this type of problem. So we need to address this bug in GV by making sure confirming/allowing a popup after navigation results in an error and the popup will not be opened.

Depends on: 1703629

Verified that Bug 1703629 fixes the sec-critical problem, without the changes outlined in Comment 2.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release

Fix will ship in Fenix 88.1.3 & Focus 8.15.3.

status-firefox88: affectedfixed
Alias: CVE-2021-29953
Group: core-security-release
Component: Security: Android → General
OS: Unspecified → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: