June 20, 2015
June 19, 2015
June 17, 2015
Giorgio Maone/NoScript
Affected all systems with NoScript version < 2.6.9.27.
Due an expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible to bypass the protection offered by the add-on by registering the expired domain name.
An update has been released that fixed this issue as of June 19, 2015.
Because of the expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible for a malicious user to bypass the protection offered by the add-on by registering the expired domain name. Since the add-on explicitly trusted this domain, a malicious user could host malicious payloads on vjz.zendcdn.net that execute JavaScript despite NoScript being enabled. To prevent this attack, the domain was registered and redirected to 127.0.0.1.
Matt Bryant of Bishop Fox
8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States