Mozilla Foundation Security Advisory 2016-46

Elevation of privilege with chrome.tabs.update API in web extensions

Announced
April 26, 2016
Reporter
Muneaki Nishimura
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 46

Description

Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting (XSS) attack by a malicious web extension. It can also be used to inject content into other extensions if they load content within browser tabs.

References