NoScript Bypass

Release Date

June 20, 2015

Patch Date

June 19, 2015

Reported Date

June 17, 2015

Vendor

Giorgio Maone/NoScript

Systems Affected

Affected all systems with NoScript version < 2.6.9.27.

Summary

Due an expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible to bypass the protection offered by the add-on by registering the expired domain name.

Vendor Status

An update has been released that fixed this issue as of June 19, 2015.

Exploit Availability

Because of the expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible for a malicious user to bypass the protection offered by the add-on by registering the expired domain name. Since the add-on explicitly trusted this domain, a malicious user could host malicious payloads on vjz.zendcdn.net that execute JavaScript despite NoScript being enabled. To prevent this attack, the domain was registered and redirected to 127.0.0.1.

Researcher

Matt Bryant of Bishop Fox