Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks


In an effort to mitigate a large class of potential cross-site scripting issues in Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in "about: pages" that are the gateway to sensitive preferences, settings, and statics of the browser.

Firefox browser has 45 such internal locally-hosted about pages, some of which are listed below that you might have noticed or used at some point:

about:config — panel to modify Firefox preferences and critical settings.
about:downloads — your recent downloads done within Firefox.
about:memory — shows the memory usage of Firefox.
about:newtab — the default new tab page.
about:plugins — lists all your plugins as well as other useful information.
about:privatebrowsing — open a new private window.
about:networking — displays networking information.

To be noted, these changes do not affect how websites from the Internet work on the Firefox browser, but going forward, Mozilla vows to "closely audit and evaluate" the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.


Source: https://thehackernews.com/2019/10/firefox-javascript-injection.html


Read more on this website >>