Universal XSS with pop-up prompts
Categories
(Fenix :: General, defect)
Tracking
(firefox88 fixed, firefox89 fixed, firefox90 fixed)
People
(Reporter: jwkbugzilla, Unassigned)
References
Details
(Keywords: csectype-sop, sec-critical)
Attachments
(1 file)
615 bytes,
text/html
|
Details |
Fenix allows pop-up prompts to stack when window.open()
is called multiple times. This doesn’t seem to be properly considered in the code, on navigation only one such prompt is removed. So a page can produce two prompts and navigate elsewhere then, one prompt will remain. If the user happens to allow the pop-up, it will open with the new page as opener. If a javascript:
URI is opened, the code will be able to gain full access to the “opener” page.
You can see the attached page do this: it produces two pop-up prompts, then redirects to Google. The prompt is a JavaScript URL with some trivial obfuscation – it appears to relate to google.com
while the actual JavaScript code (alert(opener.location.href)
) is URL-encoded. Accepting the prompt will then produce an alert message showing that it can indeed access the opening Google page.
This is particularly critical given bug 1701673 – a web page can produce a huge number of pop-up prompts, thus forcing the user to accept the pop-up in an attempt to unlock the UI.
Updated•4 years ago
|
Comment 1•4 years ago
•
|
||
Just a heads up that we're having some good discussions about how to approach this bug. Thinking about a patch and also to ask the GeckoView team to possibly harden the underlying code to avoid similar attacks.
It is possible that this fix for this bug will also close bug 1701970 and bug 1701673 - this needs a bit more time so we won't dupe or close those bugs yet.
Comment 2•4 years ago
|
||
Summary of our plan how to fix this:
In A-C/Fenix we need to make sure we never stack multiple prompts to directly address bug 1701970 and bug 1701673. This would also address the specific case here as a single prompt is already properly dismissed on navigation.
However, failing to automatically dismiss a prompt should still not open us up to this type of problem. So we need to address this bug in GV by making sure confirming/allowing a popup after navigation results in an error and the popup will not be opened.
Comment 3•4 years ago
|
||
Verified that Bug 1703629 fixes the sec-critical problem, without the changes outlined in Comment 2.
Updated•4 years ago
|
Comment 4•4 years ago
|
||
Fixed in 89
Updated•4 years ago
|
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Fix will ship in Fenix 88.1.3 & Focus 8.15.3.
Updated•4 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•