CVE-2022-28282 Using a link rel="localization"> could lead to a use-after-free and potential exploitable crash.

When using the code>rel="localization"/code> link type, the a> tag does not close after the object has been destroyed, potentially allowing for a use-after-free. This could lead to a potential crash and possible remote code execution. Thunderbird and Firefox are not direct targets for this issue, but if an attacker can convince a user to install a malicious extension, then this issue could be leveraged to install code on the user’s machine.

An attacker could host a malicious extension on a third-party host and thus push an unsuspecting user to install the extension. During installation, the user accepts the “Do you want to install a href=“"> this extension?/a>” prompt and accepts the installation. This prompts the user to restart Thunderbird or Firefox. After restart, the use-after-free occurs and the attacker’s code is executed.

This issue affects Thunderbird  91.8, Firefox  99, and Firefox ESR  91.8. When using the code>rel="localization"/code> link type, the a> tag does not close after the object has been destroyed, potentially allowing for a use-after-free. This could lead to a potential crash and possible remote code execution. Thunderbird and Firefox are not direct targets for this issue, but if an attacker can convince a user to install a malicious extension, then this issue

Vulnerability Scenario

An attacker can convince a user to install a malicious extension. During installation, the user accepts the “Do you want to install a href=“"> this extension?/a>” prompt and accepts the installation. This prompts the user to restart Thunderbird or Firefox. After restart, the use-after-free occurs and the attacker’s code is executed.

Vulnerability Summary

This vulnerability is caused when a use-after-free occurs in the JavaScript engine. This could lead to a potential crash and possible remote code execution. Thunderbird and Firefox are not directly targets for this issue, but if an attacker can convince a user to install a malicious extension, then this issue could be leveraged to install code on the user’s machine.

Thunderbird and Firefox are not direct targets for this issue, but if an attacker can convince a user to install a malicious extension, then this issue could be leveraged to install code on the user’s machine

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 20:54:00 UTC

References