Mozilla Foundation Security Advisory 2015-153

HTML injection in homescreen app bypassing DOM sanitizer

Announced
December 30, 2015
Reporter
Muneaki Nishimura
Impact
High
Products
Firefox OS
Fixed in
  • Firefox OS 2.5

Description

Mozilla fixed a bug in the l10n localization of the default homescreen app of Firefox OS reported by security researcher Muneaki Nishimura. Exploiting this issue requires tricking the user into bookmarking a specially crafted web page via the 'Add to home screen' functionality. As a result, an iframe controlled by the attacker would be executed with homescreen privileges, potentially leading to further system compromise.

References