Closed Bug 1812509 Opened 2 years ago Closed 2 years ago

UXSS via bookmarks with javascript scheme

Categories

(Firefox :: Security, defect)

defect

Tracking

()

RESOLVED INVALID

People

(Reporter: old-account, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

Attached file poc.html

Tested with the latest version of Firefox with default settings on Windows/Linux operating systems.

When a link with a javascript scheme is registered in a bookmark and clicked from another origin, JavaScript is executed from that origin.

The user interaction required to exploit this vulnerability is bookmarking a link and clicking on the added bookmark, and in the case of an unspecified attack using this vulnerability, that interaction would occur without significant effort on the part of the attacker.

Steps to reproduce:

  1. Open attached PoC
  2. Add link "link" with javascript scheme to bookmark.
  3. Visit another website.
  4. Click the bookmark you saved in step 2.

Actual results:

Arbitrary javascript code is executed on a different origin. In this PoC, document.cookie from another domain is output.

Suggestions:

When a link with a javascript scheme is clicked in bookmarks, it takes you to a blank page (this page should be considered a different origin, and should not have access to Firefox features) and then launch it. This will allow bookmarks with normal purpose javascript schemes to still work.

Please let me know if you need more information.

Flags: sec-bounty?
Attached video bookmark_UXSS.mp4
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: