Issue metadata
Sign in to add a comment
|
Security: Bookmarks with javascript uri can execute javascript in the dom of the website loaded inside the active tab
Reported by
kieran....@gmail.com,
Dec 10 2017
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS There are two issues that if combined, introduce a security issue. * Bookmarks can have URI schemes other than HTTP or HTTPs * Bookmarks are opened in the current tab, and not in a new tab. This last issue can be chained with the first issue to execute JavaScript inside the DOM of the website that's loaded in the active tab on the moment that the malicious bookmark is being clicked. VERSION Chrome Version: Version 62.0.3202.94 (Official Build) (64-bit) Operating System: Windows 10 REPRODUCTION CASE To achieve this bug, please follow the steps below: * import a bookmark with the JavaScript URI ( I have attached one to this report) To import a bookmark: https://support.google.com/chrome/answer/96816?hl=en * Once the bookmark has been imported into Chrome, go to https://www.google.com * While on google.com, click the imported bookmark * As you can see, the JavaScript will execute on www.google.com Video POC (without importing the bookmark.): https://vimeo.com/246712973 password: GOOGLETOPSEC^ POSSIBLE MITIGATION: I think opening bookmarks directly in a new tab solves this issue since it can't access the DOM of other websites anyore.
,
Mar 19 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28
Issue 909624 has been merged into this issue. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Dec 11 2017Status: WontFix (was: Unconfirmed)