HTML injection in homescreen app bypassing DOM sanitizer
- December 30, 2015
- Muneaki Nishimura
- Firefox OS
- Fixed in
- Firefox OS 2.5
Mozilla fixed a bug in the l10n localization of the default homescreen
app of Firefox OS reported by security researcher Muneaki
Nishimura. Exploiting this issue requires tricking the user into
bookmarking a specially crafted web page via the 'Add to home screen'
functionality. As a result, an
iframe controlled by the
attacker would be executed with homescreen privileges, potentially
leading to further system compromise.