A critical vulnerability, designated as CVE-2023-25729, has been identified in Mozilla Firefox, Thunderbird, and Firefox ESR, where permission prompts for opening external schemes were only displayed for ContentPrincipals, resulting in browser extensions being able to open them without any user interaction through ExpandedPrincipals. This security issue could potentially lead to more severe malicious activities, such as unauthorized file downloads or interference with software already installed on a user's system.

Original References

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25729
- Mozilla Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2023-42/

Exploit Details

Normally, when a user clicks on an external link within a web page, the browser would prompt the user to confirm their action before opening the link in an external application. However, due to the vulnerability in Mozilla's permission prompt implementation, extensions can skip the prompt and directly open the external application without requiring any user interaction.

The following code snippet demonstrates how an extension can incorrectly use the ExpandedPrincipals to bypass the intended permission prompt:

// Using ExpandedPrincipals to bypass permission prompt
(async () => {
  const url = 'mailto:test@example.com';
  const ep = new browser.windows.ExpandedPrincipal([url]);
  await browser.tabs.create({url, openInReaderMode: true, creatingPrincipal: ep});
})();

The above code snippet creates a new tab with a mailto: scheme, and the use of ExpandedPrincipal bypasses the permission prompt that should be shown to the user. This could potentially be used for malicious purposes, e.g., opening URLs with other external schemes (like ftp://, file://, or even custom software URL handlers).

Mitigation and Protection

To protect yourself from this vulnerability, it is highly recommended to update your Mozilla Firefox, Thunderbird, and Firefox ESR to the latest versions available:
- Firefox 110 or higher: https://www.mozilla.org/en-US/firefox/new/
- Thunderbird 102.8 or higher: https://www.thunderbird.net/en-US/
- Firefox ESR 102.8 or higher: https://www.mozilla.org/en-US/firefox/organizations/

Additionally, it is good practice to avoid installing untrusted browser extensions and to periodically review installed extensions to ensure that they are actively maintained and have no known security issues.

Conclusion

The CVE-2023-25729 vulnerability poses a significant security risk for users running affected Mozilla Firefox, Thunderbird, and Firefox ESR versions. Immediate action to update the software to the latest version is crucial to prevent potential exploitation of this vulnerability.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 14:03:00 UTC