A leading security researcher has discovered a vulnerability in Firefox
that could compromise websites and browsers.
“[Firefox has] a design implementation that I believe could lead to a lot of websites and browser extensions being compromised, which could lead to the browser being compromised as well," researcher Petko Petkov told SCMagazineUS.com after revealing the flaw on Gnucitizen's blog
“Attackers are able to launch cross-site scripting
(XSS) attacks from any origin (kind of like universal XSS) or escalate their privileges to chrome (not trivial) by tricking the victim into performing an action, such as clicking on a link,” he said on the blog of Gnucitizen, a penetration-testing organization.
Firefox, unlike the Opera
URLs," giving data URLs enhanced privileges that can compromise the browser, he said.
Petkov called the flaw a "medium-risk" vulnerability.
"In some situations, however, this vulnerability could easily escalate to high-risk when combined with other low-risk issues,” he said.
Mozilla is aware of the vulnerability and "deciding what to do with it,” said Petkov, who found the flaw on Firefox version 126.96.36.199, but said it also impacts the just-released version 188.8.131.52. “I don't think that it is in their priority list at the moment. I believe that they might change their minds when someone uses the vector in a attack of a higher magnitude."
Mozilla representatives could not be reached for comment.