Mozilla has fixed one XSS (cross-site scripting) bug on its Add-ons portal and is in the process of squashing other two, one also in its Add-ons portal while the second in its Support Center.
According to security researcher Ashar Javed, who discovered all three bugs, the first flaw, the one that affected the Add-ons portal, was exploitable via the “Create new collection” feature.
The Mozilla Add-ons portal allows registered users to create collections of add-ons. These collections can be used to organize add-ons in different packs, for personal or business purposes, and can also be shared with friends or associates via social media.
Mr. Javed discovered that you could add malicious code in the collection’s name field, which was insufficiently sanitized before being stored in Mozilla’s database.
Users that later accessed the collection’s page to view the list of a particular set of add-ons would have been exposed to all kinds of attacks that could be carried out via XSS flaws, the most common of them being cookie theft.
Nobody escapes an XSS flaw, not even Mozilla
At one point or another, any site is vulnerable to an XSS flaw, and most of the times, webmasters hope that the flaw is not found in a page with too much traffic. Add-on collections have their purpose and are quite useful to Firefox users.
That’s why, for his work in discovering the issue, Mr. Javed received a $2,500 reward from Mozilla’s staff, which may possibly go up when Mozilla fixes the other two issues he also discovered.
Since these two have not yet been solved, the researcher has not provided any details about them, except for the location where they were found.
This particular XSS bug was discovered last year on December 26 and was fixed on January 7, this year.