Tuesday, March 9, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks

October 15, 2019
in Internet Privacy
Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

In an effort to mitigate a large class of potential cross-site scripting issues in Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages” that are the gateway to sensitive preferences, settings, and statics of the browser.

Firefox browser has 45 such internal locally-hosted about pages, some of which are listed below that you might have noticed or used at some point:

You might also like

Microsoft Exchange Cyber Attack — What Do We Know So Far?

Iranian Hackers Using Remote Utilities Software to Spy On Its Targets

Researchers Find 3 New Malware Strains Used by SolarWinds Hackers

  • about:config — panel to modify Firefox preferences and critical settings.
  • about:downloads — your recent downloads done within Firefox.
  • about:memory — shows the memory usage of Firefox.
  • about:newtab — the default new tab page.
  • about:plugins — lists all your plugins as well as other useful information.
  • about:privatebrowsing — open a new private window.
  • about:networking — displays networking information.

To be noted, these changes do not affect how websites from the Internet work on the Firefox browser, but going forward, Mozilla vows to “closely audit and evaluate” the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.

Firefox Disabled Inline JavaScript for Security

Since all these pages are written in HTML/JavaScript and renders in the security context of the browser itself, they are also prone to code injection attacks that, in case of a vulnerability, could allow remote attackers to inject and execute arbitrary code on behalf of the user, i.e., cross-site scripting (XSS) attacks.

To add a robust first line of defense against code injection attacks, even when there is a vulnerability, Mozilla has blocked the execution of all inline scripts, thus injected scripts as well, by implementing a strict Content Security Policies (CSP) to ensure the JavaScript code only executes when loaded from a packaged resource using the internal protocol.

To achieve this, Mozilla had to rewrite all inline event handlers and move all inline JavaScript code out-of-line into separate packaged files for all 45 about: pages.

“Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla said in a blog post published earlier today.

NO EVAL, NO EVIL!

When attackers can’t inject script directly, they use the JavaScript function eval() and similar methods to trick the target applications into converting text into an executable JavaScript to achieve code injection.

So, in addition to inline scripts, Mozilla has also removed and blocked eval-like functions, which the browser maker thinks is another “dangerous tool,” as it parses and executes an arbitrary string in the same security context as itself.

“If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user’s machine with the permissions of your webpage/extension,” Mozilla explains on its MDN web docs.

Web Application Firewall

Google also shares the same thought, as the tech giant says, “eval is dangerous inside an extension because the code it executes has access to everything in the extension’s high-permission environment.”

For this, Mozilla rewrote all use of eval-like functions from system privileged contexts and the parent process in the codebase of its Firefox web browser.

Besides this, the company also added eval() assertions that will disallow the use of eval() function and its relatives in system-privileged script contexts, and inform the Mozilla Security Team of yet unknown instances of eval().


Credit: The Hacker News By: noreply@blogger.com (Swati Khandelwal)

Previous Post

ThoughtSpot announces v6, adds search suggestions, offers iOS app

Next Post

Linux security hole: Much sudo about nothing

Related Posts

Microsoft Exchange Cyber Attack — What Do We Know So Far?
Internet Privacy

Microsoft Exchange Cyber Attack — What Do We Know So Far?

March 9, 2021
Iranian Hackers Using Remote Utilities Software to Spy On Its Targets
Internet Privacy

Iranian Hackers Using Remote Utilities Software to Spy On Its Targets

March 8, 2021
Researchers Find 3 New Malware Strains Used by SolarWinds Hackers
Internet Privacy

Researchers Find 3 New Malware Strains Used by SolarWinds Hackers

March 6, 2021
Bug in Apple’s Find My Feature Could’ve Exposed Users’ Location Histories
Internet Privacy

Bug in Apple’s Find My Feature Could’ve Exposed Users’ Location Histories

March 6, 2021
Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked!
Internet Privacy

Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked!

March 6, 2021
Next Post
Linux security hole: Much sudo about nothing

Linux security hole: Much sudo about nothing

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Podcasts for marketers and Google’s stance on tracking: Monday’s daily brief
Digital Marketing

Podcasts for marketers and Google’s stance on tracking: Monday’s daily brief

March 9, 2021
13 challenges creating an open, scalable, and secure serverless platform – IBM Developer
Technology Companies

10 questions for modernizing your old Java applications – IBM Developer

March 9, 2021
McAfee sells its enterprise business to private equity group as it focuses on consumer security
Internet Security

McAfee sells its enterprise business to private equity group as it focuses on consumer security

March 9, 2021
Microsoft Exchange Cyber Attack — What Do We Know So Far?
Internet Privacy

Microsoft Exchange Cyber Attack — What Do We Know So Far?

March 9, 2021
Measuring progress in Symbolic AI: the biggest surprise in AI trends report from Stanford
Data Science

Measuring progress in Symbolic AI: the biggest surprise in AI trends report from Stanford

March 9, 2021
Assessing regulatory fairness through machine learning
Machine Learning

Assessing regulatory fairness through machine learning

March 8, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Podcasts for marketers and Google’s stance on tracking: Monday’s daily brief March 9, 2021
  • 10 questions for modernizing your old Java applications – IBM Developer March 9, 2021
  • McAfee sells its enterprise business to private equity group as it focuses on consumer security March 9, 2021
  • Microsoft Exchange Cyber Attack — What Do We Know So Far? March 9, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates