UXSS via bookmarks with javascript scheme
Categories
(Firefox :: Security, defect)
Tracking
()
People
(Reporter: old-account, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
Tested with the latest version of Firefox with default settings on Windows/Linux operating systems.
When a link with a javascript scheme is registered in a bookmark and clicked from another origin, JavaScript is executed from that origin.
The user interaction required to exploit this vulnerability is bookmarking a link and clicking on the added bookmark, and in the case of an unspecified attack using this vulnerability, that interaction would occur without significant effort on the part of the attacker.
Steps to reproduce:
- Open attached PoC
- Add link "link" with javascript scheme to bookmark.
- Visit another website.
- Click the bookmark you saved in step 2.
Actual results:
Arbitrary javascript code is executed on a different origin. In this PoC, document.cookie from another domain is output.
Suggestions:
When a link with a javascript scheme is clicked in bookmarks, it takes you to a blank page (this page should be considered a different origin, and should not have access to Firefox features) and then launch it. This will allow bookmarks with normal purpose javascript schemes to still work.
Please let me know if you need more information.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•8 months ago
|
Description
•