CVE-2023-25728 Vulnerability: Leaking URIs from child iframes due to content-security-policy-report-only header - Affects Firefox, Thunderbird, and Firefox ESR

Summary: The CVE-2023-25728 vulnerability has been identified in the Content-Security-Policy-Report-Only header, which, when exploited by an attacker, allows them to leak unredacted URIs of child iframes by triggering a redirect upon iframe interaction. This vulnerability is found in Firefox versions earlier than 110, Thunderbird versions earlier than 102.8, and Firefox ESR versions earlier than 102.8.

Description

The Content-Security-Policy-Report-Only header is an HTTP response header that allows web developers to experiment with Content Security Policy (CSP) enforcement without actually blocking any content. It allows developers to monitor policy violations that occur in the browser and report them back to a provided URI.

However, a vulnerability, CVE-2023-25728, exists in this header that could potentially leak the child iframe's original unredacted URI when user interaction with the iframe triggers a redirect. This would give an attacker access to sensitive information that could be exploited in various ways.

Exploit Details

Suppose the attacker can craft malicious HTML content that includes an iframe with a redirect that carries sensitive data within the URI. When the unsuspecting user interacts with the iframe, this vulnerability allows the attacker to access the full unredacted URI of the child iframe due to the Content-Security-Policy-Report-Only header.

Example Code Snippet:

<html>
  <head>
    <meta http-equiv="Content-Security-Policy-Report-Only" content="default-src 'self'">
  </head>
  <body>
    <iframe src="redirect.html"></iframe>
  </body>
</html>

Firefox ESR 102.8 or later

You can download the updated versions of these software products from their respective official websites:

- Firefox
- Thunderbird
- Firefox ESR

Original References

- Mozilla Foundation Security Advisory 2023-13
- Mozilla Developer Network - Content-Security-Policy-Report-Only

Conclusion

CVE-2023-25728 is a serious vulnerability that has the potential to leak sensitive data if an attacker can exploit it. To protect against this vulnerability and minimize the risk of exposure, it is essential to update the affected software versions to the latest ones available. Furthermore, being aware of this vulnerability and understanding how it can be exploited will help developers avoid potential pitfalls in their implementations of the Content-Security-Policy-Report-Only header.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 14:01:00 UTC