Closed
Bug 1479311
(CVE-2018-12382)
Opened 6 years ago
Closed 6 years ago
Firefox for Android - AddressBar Spoofing using specially-crafted javascript: URL opened in a new tab
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox61 wontfix, firefox62 verified, firefox63 fixed)
VERIFIED
FIXED
Firefox 63
People
(Reporter: jordi.chancel, Assigned: JanH)
References
()
Details
(Keywords: csectype-spoof, regression, sec-low, Whiteboard: [adv-main62+])
Attachments
(2 files)
|
352 bytes,
text/html
|
Details | |
|
59 bytes,
text/x-review-board-request
|
snorp
:
review+
lizzard
:
approval-mozilla-beta+
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180604143143 Steps to reproduce: When a Malicious web-page on an Attacker Web-Site opens a javascript: URL containing the Attacker Domain (Example: Attacker Domain = www.yyy.com ; javascript URL opened = javascript: [codes] + www.yyy.com + [codes] ) , the Attacker Domain is visible at the right into the AddressBar and covers the javascript: Protocol, so at the left into the AddressBar it is possible to show another Domain (ex: www.google.com ; www.bankofamerica.com …). This can lead to AddressBar Spoofing (The Video Demo in Attachments will show you how this vulnerability works). STR: -1) Go to the TestCase URL and Click on the « ClickMe » link (The specially-crafted javascript: URL is now opened in a new tab). This javascript: URL opened in a new tab can lead to AddressBar Spoofing. Actual results: The specially-crafted javascript: URL can lead to AddressBar Spoofing (As demonstrated in the video-demo in Attachments). Expected results: A possibility to fix this vulnerability: the specially-crafted javascript URL should be visible like others javascript URL (The javascript protocol should be always visible into the Address Bar)
|
Reporter | |
Comment 1•6 years ago
|
||
The Video-demo.
|
|
Reporter | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
|
||
Updated•6 years ago
|
Group: firefox-core-security
Keywords: csectype-spoof,
sec-low
|
Assignee | |
Comment 2•6 years ago
|
||
I guess we shouldn't attempt to do domain highlighting (which is what drives the scrolling of the URL) for URLs starting with "javacript:" here: https://dxr.mozilla.org/mozilla-central/rev/a2d65d03e46a9a42b5bee5c2a7864d3f987a8ca7/mobile/android/app/src/photon/java/org/mozilla/gecko/toolbar/ToolbarDisplayLayout.java#331
Assignee: nobody → jh+bugzilla
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → Android
Hardware: Unspecified → All
| Comment hidden (mozreview-request) |
|
||
Comment 4•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8997537 [details] Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL. https://reviewboard.mozilla.org/r/261256/#review268954
Attachment #8997537 -
Flags: review?(snorp) → review+
Pushed by mozilla@buttercookie.de: https://hg.mozilla.org/integration/autoland/rev/bf82b74a7db7 Don't attempt finding and highlighting a tab's base domain within a javascript: URL. r=snorp
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/bf82b74a7db7
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
|
|
Assignee | |
Comment 7•6 years ago
|
||
Comment on attachment 8997537 [details] Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL. Approval Request Comment [Feature/Bug causing the regression]: URL bar domain highlighting in combination with bug 1271998 [User impact if declined]: A tab's base domain contained within a "javascript:" URL might incorrectly be highlighted and scrolled to, obscuring the fact that the URL is in fact a "javascript:" URL. [Is this code covered by automated tests?]: No. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: No. [Why is the change risky/not risky?]: Just adding a check for the "javascript:" protocol in the domain highlighting code. [String changes made/needed]: None.
Attachment #8997537 -
Flags: approval-mozilla-beta?
|
||
Updated•6 years ago
|
status-firefox61:
--- → wontfix
status-firefox62:
--- → affected
|
|
||
Comment 8•6 years ago
|
||
Comment on attachment 8997537 [details] Bug 1479311 - Don't attempt finding and highlighting a tab's base domain within a javascript: URL. Adding a simple check for protocol; let's uplift for beta 18.
Attachment #8997537 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 9•6 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/7456a854852b
|
||
Updated•6 years ago
|
Whiteboard: [adv-main62+]
|
||
Comment 10•6 years ago
|
||
Verified as fixed on Beta 62.0b19, javascript:setTimeout is visible in the URL bar. Marking as verified since it won't fix 61.
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•6 years ago
|
||
Unfortunately does not qualify for our bug bounty program
|
|
||
Updated•6 years ago
|
Alias: CVE-2018-12382
|
|
Reporter | |
Updated•6 years ago
|
|
||
Updated•4 years ago
|
Flags: sec-bounty-hof+
|
||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•