It affects also Firefox  61.0.3 and Firefox ESR  42.3.1, and SeaMonkey  2.49.1. This issue was addressed by not allowing remote loading of arbitrary JavaScript files. Firefox will now display a security warning if you try to visit a remote resource through an HTML code>iframe/code> element.

CVE-2018-13085 WebExtensions can use the about:config preference browser.frameNavigation.enabled to determine if a page is loaded in an iframe or not. If the preference is disabled, WebExtensions can detect if a page is loaded in an iframe and disables all XPCOM functions. This can lead to remote code execution when a page is loaded in an ififrame.
A WebExtension can also use about:config to force XPCOM functions to be enabled. This can lead to remote code execution when a page is loaded in an iframe.

CVE-2018-13086 A WebExtension can also use about:config to force XPCOM functions to be enabled. This can lead to remote code execution when a page is loaded in an iframe.
This issue was fixed in Firefox 65.

Overview

Two security vulnerabilities have been found in the Firefox web browser. These vulnerabilities could allow malicious websites to cause a crash of the browser, affecting both Firefox and SeaMonkey.

There are two separate issues that need to be addressed. The first issue is with WebExtensions, which can use the about:config preference browser.frameNavigation.enabled to determine if a page is loaded in an iframe or not. If the preference is disabled, WebExtensions can detect if a page is loaded in an iframe and disables all XPCOM functions. This can lead to remote code execution when a page is loaded in an ififrame. The second issue is with XPCOM itself- XPCOM functions can use about:config to set their state, but they can also be forced by WebExtension APIs through about:config- this means that any website that has access to these functions can potentially execute arbitrary code on your system by forcing them as well as disable protections from being able to detect frames/iframes etc..

Security guidance for users of Firefox web browsers

A vulnerability in the Firefox browser has been addressed through the release of Firefox 65. The vulnerability could allow remote code execution when a page is loading in an iframe. As such, it is recommended that users update to Firefox 65 or later versions as soon as possible.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 22:14:00 UTC

References