Popup Blocker Pro Chrome Extension Stored Cross Site Scripting

2017.01.24

Credit: Aaditya Purani

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Summary :
Pop-Up Blocker Pro latest version suffers from Stored Cross Site Scripting
Products Affected :
Version 1.3.5 Chrome Extension
Link :
https://chrome.google.com/webstore/detail/popup-blocker-pro/kiodaajmphnkcajieajajinghpejdjai?hl=en
Proof of Concept :
The file options/options.htm suffers from Stored XSS due to lack of output filter. Go to chrome-extension://kiodaajmphnkcajieajajinghpejdjai/options/options.htm
After that, in the Whitelisted Sites section, add the Payload <script>alert(1)</script> and press enter.
After that each time you visit the extension link, it would prompt a Stored XSS.
Credits:
Aaditya Purani

References:

https://chrome.google.com/webstore/detail/popup-blocker-pro/kiodaajmphnkcajieajajinghpejdjai?hl=en

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Popup Blocker Pro Chrome Extension Stored Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.