Developers Reduce Firefox Code Injection Exposure

Mozilla has removed features that exposed the browser to code injection attacks via its about: pages and JavaScript’s ‘dangerous’ eval() function

Firefox developer Mozilla said it has removed features from the browser that could have provided an opportunity for code injection attacks.

Developers removed inline scripts from the browser’s about: pages, which display the internal state of the browser, and removed eval() and similar functions, said content security lead Christoph Kerschbaumer.

The browser’s about: pages display information such as installed plug-ins or the state of various browser settings.

But the pages are written using HTML and JavaScript, and as such can be targeted by code injection attacks like any other web page.

Data Privacy, security, firefox

Code injection

“If an attacker manages to inject code into such an about: page, it potentially allows an attacker to execute the injected script code in the security context of the browser itself, hence allowing the attacker to perform arbitrary actions on the behalf of the user,” Kerschbaumer said in a blog post.

To reduce this risk, the team rewrote all 45 about: pages and moved their JavaScript resources into packaged resources.

That allowed developers to apply stronger content security policies to the pages, which, for instance, prevent injected JavaScript from running.

Instead, the code only runs when loaded from a packaged resource using the internal chrome: protocol, Kerschbaum said.

“Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” he wrote.

‘Powerful but dangerous’

Developers have also changed the way JavaScript’s eval() function works in order to decrease the risk from what Kerschbaum called a “powerful but dangerous tool”.

Eval() parses and executes a string in the same security context as itself, introducing a significant attack surface for code injection, he said.

To reduce the risk, the team rewrote all use of eval() and similar functions from system-privileged contexts and from the parent process in the Firefox codebase, as well as adding assertions that disallow the use of eval()-like functions in system-privileged script contexts.

This was in part intended to discourage developers from using the function.

Kerschbaum said Mozilla’s tests unexpectedly found that some users were making use of eval() and other features to customise the browser.

“When we detect that the user has enabled such tricks, we will disable our blocking mechanism and allow usage of eval(),” he wrote.

As part of its ongoing security development Mozilla recently announced a feature called DNS-over-HTTPS (DoH), which is designed to bolster users’ privacy, but said it would not switch the feature on by default for users in the UK.

The UK government had had concerns that DoH could make it more difficult for criminal authorities to track the web usage of suspects.