scripting issues in Firefox, Mozilla has blocked execution of all
inline scripts and potentially dangerous eval-like functions for
built-in “about: pages” that are the gateway to sensitive
preferences, settings, and statics of the browser.
Firefox browser has 45 such internal locally-hosted about
pages[1], some of which are
listed below that you might have noticed or used at some point:
- about:config — panel to modify Firefox preferences and critical
settings. - about:downloads — your recent downloads done within
Firefox. - about:memory — shows the memory usage of Firefox.
- about:newtab — the default new tab page.
- about:plugins — lists all your plugins as well as other useful
information. - about:privatebrowsing — open a new private window.
- about:networking — displays networking information.
To be noted, these changes do not affect how websites from the
Internet work on the Firefox browser, but going forward, Mozilla
vows to “closely audit and evaluate” the usages of harmful
functions in 3rd-party extensions and other built-in mechanisms.
Firefox Disabled Inline JavaScript for Security
Since all these pages are written in HTML/JavaScript and renders in
the security context of the browser itself, they are also prone to
code injection attacks that, in case of a vulnerability, could
allow remote attackers to inject and execute arbitrary code on
behalf of the user, i.e., cross-site scripting (XSS) attacks.
To add a robust first line of defense against code injection
attacks, even when there is a vulnerability, Mozilla has blocked
the execution of all inline scripts, thus injected scripts as well,
by implementing a strict Content Security Policies (CSP) to ensure
the JavaScript code only executes when loaded from a packaged
resource using the internal protocol.
To achieve this, Mozilla had to rewrite all inline event
handlers and move all inline JavaScript code out-of-line into
separate packaged files for all 45 about: pages.
“Not allowing any inline script in any of the about: pages limits
the attack surface of arbitrary code execution and hence provides a
strong first line of defense against code injection attacks,”
Mozilla said in a blog
post[2] published earlier today.
NO EVAL, NO EVIL!
When attackers can’t inject script directly, they use the
JavaScript function eval() and similar methods to trick the target
applications into converting text into an executable JavaScript to
achieve code injection.
So, in addition to inline scripts, Mozilla has also removed and
blocked eval-like functions, which the browser maker thinks is
another “dangerous tool,” as it parses and executes an arbitrary
string in the same security context as itself.
“If you run eval() with a string that could be affected by a
malicious party, you may end up running malicious code on the
user’s machine with the permissions of your webpage/extension,”
Mozilla explains[3] on its MDN web docs.
Google also shares the same thought, as the tech
giant says[4], “eval is dangerous
inside an extension because the code it executes has access to
everything in the extension’s high-permission environment.”
For this, Mozilla rewrote all use of eval-like functions from
system privileged contexts and the parent process in the codebase
of its Firefox web browser.
Besides this, the company also added eval() assertions that will
disallow the use of eval() function and its relatives in
system-privileged script contexts, and inform the Mozilla Security
Team of yet unknown instances of eval().
References
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/Ru9Q3eYJaHE/firefox-javascript-injection.html