MozillaZine

XSS- Cross site scripting add-ons page(solved)

Discussion of general topics about Mozilla Firefox
Grumpus

User avatar
 
Posts: 11760
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted November 2nd, 2017, 4:30 am

Just a heads up, NoScript is indicating an XSS - cross site scripting attack for the add-ons page.
This happens first time opening a Firefox session and doesn't seem to reoccur unless Firefox is closed and reopened.
It may be related to the Google pageads as I have encountered this with Mhz1 networks and the pageads were indicated there as well.
If Mozilla is forcing ads for the new add-ons connection this could be the problem but just guessing at this point.
It may also be one of the advertisers trying something questionable.
If you don't know what XSS is - there's this Cross Site Scripting
Last edited by Grumpus on November 6th, 2017, 6:14 am, edited 1 time in total.

Grumpus

User avatar
 
Posts: 11760
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted November 2nd, 2017, 10:12 am

Looks like it's relative to the "Get Addons" part of /Tools/Addons. If Extensions or services or plugins is the opening page there doesn't appear to be an issue.
Seems to happen only once per session or after a Restart.
It's definitely related to the Google pageads and also google-analytics and google ; both http.
There's also a preliminary "404 page not found" error and the panel for "What is an addon" appears.
Also it seems to be looking for the chrome.manifest using the wrong uri, manifest is also empty.

Grumpus

User avatar
 
Posts: 11760
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted November 6th, 2017, 6:27 am

Looks like two issues for why this is occurring with the Linux Mint 17 version of Firefox.
On one hand there is difference in the hash sum being used between this version of Firefox 56 and the page, (256 to 512)
Second issue is the page call to the wrong folder for the chrome.manifest.
There's also some of the following:
Loading failed for the <script> with source “http://www.google-analytics.com/ga.js”. viewtopic.php:1
Loading failed for the <script> with source “http://pagead2.googlesyndication.com/pagead/show_ads.js”. viewtopic.php:130
Loading failed for the <script> with source “http://pagead2.googlesyndication.com/pagead/show_ads.js”. viewtopic.php:536
Loading failed for the <script> with source “http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en”. viewtopic.php:591
Loading failed for the <script> with source “http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en”.

. . . and this: Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead.

So unless I misunderstand, these things are on Linux Mint version of 56 and not Mozilla but I could be wrong as usual, maybe something was missed or just not finished in application yet. Somehow or other there's still the issue of a 404 page not found error initially and then a switch to the What is an Add-on Page without search but the search function still applies on the extensions section of the add-ons.

For what it's worth this could also be sloppy syntax on the part of the page maintainer or an actual exploit.

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 4 guests