Closed Bug 1879739 (CVE-2024-31393) Opened 1 year ago Closed 1 year ago

JavaScript URLs load when dragged to address bar, bypassing restriction on them (Potential UXSS)

Categories

(Firefox for iOS :: Browser, defect)

Product:
Firefox for iOS
Component:
Browser
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
fxios 124 ---

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

(
URL
)

Details

(Keywords: csectype-sop, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

fxios-jsurl-uxss.mov
2.05 MB, video/quicktime
Details
advisory.txt
72 bytes, text/plain
Details
Attached video fxios-jsurl-uxss.mov

Firefox for iOS normally disallows top-level navigation to javascript: URLs.
However, this limitation can be bypassed by drag-and-drop a javascript: URL into the address bar.
This behavior has potential use for Universal XSS attacks.

The following page is a reproduction case of this attack.
https://csrf.jp/2024/fxios-jsurl.php

In this page, when you drag a URL link, the page is switched to www.google.com.
And when you drop the link into the address bar, the script is executed on www.google.com.

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Browser
Keywords: csectype-sop, sec-moderate
Product: Firefox → Firefox for iOS
Summary: JavaScript URLs top-level navigation can be bypassed on Firefox iOS (Potential UXSS) → JavaScript URLs load when dragged to address bar, bypassing restriction on them (Potential UXSS)

Thank you Muneaki for reporting the issue. We are working on a WebEngine project that will as a side-effect improve how navigation is allowed/refused in our app. The current issue is yet another place where there's no scheme checks before navigation happens in the project. I'll do a quick fix for now.

For anyone following, the drag and drop is handled through this code here.

Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
tracking-fxios: --- → 124
Resolution: --- → FIXED

PR was merged, is pending tests and will be part of the 124 release. Thank you :muneaki!

Flags: sec-bounty? → sec-bounty+

Hey Muneaki. Nice find. We can see this as an XSS type of bug but not necessarily as UXSS. The bug requires you to drag and drop a link from the current web page (or an iframe) and not any, arbitrary web page. It also requires some user interaction. We're going to award this on the lower end of "sec-moderate" due to these circumstances. Thanks you for continuing to participate in our bug bounty program.

Verified as fixed on v124 (39092) with iPhone 15 Pro (17.1.2).
When I dragged the link over the URL www.google.com was loaded and displayed correctly, there was no https://www.google.com UXSS prompt as it can be seen in the previous version where the issue was not fixed.

Status: RESOLVED → VERIFIED
Attached file advisory.txt
Alias: CVE-2024-31393
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: