Mozilla Foundation Security Advisory 2015-118

CSP bypass due to permissive Reader mode whitelist

Announced
November 3, 2015
Reporter
Mario Heiderich, Frederik Braun
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 42

Description

Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View explicitly disables script for rendered pages through a whitelist of allowed HTML content. Mario discovered that the whitelist was too permissive and a malicious site could manipulate content to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks.

References