Mozilla Foundation Security Advisory 2015-118

CSP bypass due to permissive Reader mode whitelist

Announced

November 3, 2015

Reporter

Mario Heiderich, Frederik Braun

Impact

Moderate

Products

Firefox

Fixed in

Firefox 42

Description

Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View explicitly disables script for rendered pages through a whitelist of allowed HTML content. Mario discovered that the whitelist was too permissive and a malicious site could manipulate content to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks.

References

Passive script execution on about:reader via SVG animations (affects: Firefox, NoScript, CSP; impact: spoofing, phishing) (CVE-2015-4518)
Reader Mode does not completely disable all active content (XSS)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-118

CSP bypass due to permissive Reader mode whitelist

Description

References