Mozilla Foundation Security Advisory 2015-72

Remote HTML tag injection in Gaia Search app

Announced
August 6, 2015
Reporter
Muneaki Nishimura
Impact
High
Products
Firefox OS
Fixed in
  • Firefox OS 2.2

Description

Security researcher Muneaki Nishimura reported an issue with Gaia's Search app which allows an attacker to inject HTML code into the System app's context via specially-crafted search links. The injection occurs when the user opens such malicious link in the browser and then re-opens the browser or opens the tab view.

References