Mozilla Foundation Security Advisory 2015-153

HTML injection in homescreen app bypassing DOM sanitizer

Announced

December 30, 2015

Reporter

Muneaki Nishimura

Impact

High

Products

Firefox OS

Fixed in

Firefox OS 2.5

Description

Mozilla fixed a bug in the l10n localization of the default homescreen app of Firefox OS reported by security researcher Muneaki Nishimura. Exploiting this issue requires tricking the user into bookmarking a specially crafted web page via the 'Add to home screen' functionality. As a result, an iframe controlled by the attacker would be executed with homescreen privileges, potentially leading to further system compromise.

References

HTML injection on homescreen app (with bypassing DOM sanitizer) (CVE-2015-8510)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-153

HTML injection in homescreen app bypassing DOM sanitizer

Description

References