Closed Bug 1837383 Opened 2 years ago Closed 5 months ago

<a href="javascript:alert(1);" target="_blank"> + clicking on left ctrl, shift-clicking, alt-clicking. Execute javascript in the same origin

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 116
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 672618
Tracking Flags:
Tracking Status
firefox114 --- affected

People

(Reporter: malekmahmed55, Unassigned)

Details

(Keywords: reporter-external, sec-low)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Steps to reproduce:

  1. Go to https://nuvjcp.csb.app/
  2. Click the link a new tab will be opened and no javascript will be executed
  3. Click on the left ctrl button or shift or alt then click the link. Javascript will be executed in the same origin.

Actual results:

Javascript gets executed in the same origin.

Expected results:

Blocking javascript execution.

I have found a vulnerability in a bug bounty program and I was able to exploit it using this trick.
You can check my writeup here https://medium.com/@malekmahmed55/turning-a-50-tab-nabbing-vulnerability-into-a-1000-account-takeover-9c3f32cb2d84

I was able to reproduce the issue with the specs from description using FF build 114.0(20230529085652) on Win10.
Marking as New so that development team can have a look.

Found this regression range: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c7d1db6d321f0e46cac8a53e7a40e53ff176a1de&tochange=fb7ca98a68818c53c8eb69a3a8c8936fcb07ba01

2023-06-09T16:02:06: DEBUG : Found commit message:
Bug 1694993 - Part 7: Don't set LOAD_FLAGS_DISALLOW_INHERIT_PRINCIPAL for chrome windows, r=smaug
Depends on D155277
Differential Revision: https://phabricator.services.mozilla.com/D157514

Status: UNCONFIRMED → NEW
status-firefox114: --- → affected
Ever confirmed: true
OS: Unspecified → All
Hardware: Unspecified → Desktop

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

Nika, do you mind check this out and see if this is a bug?

Group: dom-core-security
Flags: needinfo?(nika)
Flags: sec-bounty?

I believe this is the same issue as bug 1794274 and other similar issues, with a fix for them being looked into in bug 1828096.

Flags: needinfo?(nika)
Group: dom-core-security → firefox-core-security
Component: DOM: Core & HTML → General
Product: Core → Firefox

Can we make this report private?

(In reply to Malek from comment #5)

Can we make this report private?

This bug is already not public. Can you clarify what you mean?

Flags: needinfo?(malekmahmed55)

Yeah, I didn't notice it was private. Thanks for confirmation

Flags: needinfo?(malekmahmed55)

The severity field is not set for this bug.
:mossop, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(dtownsend)
Severity: -- → S2
Flags: needinfo?(dtownsend)
Group: firefox-core-security → dom-core-security
Component: General → DOM: Core & HTML
Keywords: sec-low
Product: Firefox → Core

(resetting the severity since the component was changed so this falls into the normal triage process)

Severity: S2 → --
Severity: -- → S3

Is there any update on this?

(In reply to Malek from comment #10)

Is there any update on this?

No; any updates will normally appear in the bug.

Duplicate of this bug: 1945534
No longer duplicate of this bug: 1945534
Status: NEW → RESOLVED
Closed: 5 months ago
Duplicate of bug: 672618
Resolution: --- → DUPLICATE
Group: dom-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.