BACK TO LIST

NoScript Bypass

Matt Bryant
on Jul 6, 2015 1:09:50 PM

Release Date

June 20, 2015

Patch Date

June 19, 2015

Reported Date

June 17, 2015

Vendor

Giorgio Maone/NoScript

Systems Affected

Affected all systems with NoScript version < 2.6.9.27.

Summary

Due an expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible to bypass the protection offered by the add-on by registering the expired domain name.

Vendor Status

An update has been released that fixed this issue as of June 19, 2015.

Exploit Availability

Because of the expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible for a malicious user to bypass the protection offered by the add-on by registering the expired domain name. Since the add-on explicitly trusted this domain, a malicious user could host malicious payloads on vjz.zendcdn.net that execute JavaScript despite NoScript being enabled. To prevent this attack, the domain was registered and redirected to 127.0.0.1.

Researcher

Matt Bryant of Bishop Fox

Index

Keywords

Related Content

Advisories AirDroid Web Application Authentication Flaw
Advisories OS X Messages (iMessage): XSS & File Disclosure
Advisories LastPass Site Password-Stealing Clickjacking Vulnerability

MANAGED SERVICES

CONSULTING SERVICES

PARTNER PROGRAMS

LABS | RESEARCH & RESOURCES

CAREERS

COMPANY

COMMUNITY

CONTACT

ADDRESS

8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States

Copyright © 2021   Bishop Fox Privacy Statement