Closed Bug 1791948 Opened 2 years ago Closed 2 years ago

iframe contents can be arbitrarily drawn outside of iframe.

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Version:
Firefox 105
Platform:
x86_64
Linux
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1792643

People

(Reporter: prada960808, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(2 files)

iframe.html
409 bytes, text/html
Details
screenshot.png
7.12 KB, image/png
Details

Steps to reproduce:

  1. open 'main.html' on Firefox 105.

Actual results:
The content in the iframe is drawn outside of the iframe.

Expected results:
The content in the iframe should not be drawn outside of the iframe.

Severity:
This is vulnerable because the iframe domain (i.e., attacker) can fully cover the page of the main frame (i.e., victim) with any images using CSS margin-left, margin-top, and background-image (or background).

Environment:
Version: Firefox 105.0b5
OS: ubuntu 20.04

How was this issue discovered?

  • I used my fuzzer to find this issue.
Flags: sec-bounty?
Attached file iframe.html
Group: firefox-core-security
Component: Other → Security
OS: All → Linux
Product: Websites → Firefox
Hardware: All → x86_64
Version: unspecified → Firefox 105
Attached image screenshot.png

This is an incomplete duplicate of 1792643, and missed because it required both "website" and "firefox" security bug permissions to access the bug, and very very few people have both.

Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE

The bug bounty was declined simply because it was a duplicate; it's not a judgement on the value of the problem which will be decided in bug 1792643

Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: