Two of Mozilla’s Cross Reference sub-domains suffer from a cross-site scripting (XSS) vulnerability, according to the report posted by security researcher Wang Jing on the Tetraph Blog.
The vulnerability has been submitted in Mozilla’s Bugzilla bug tracker on Sunday and has not yet received a fix.
“This means all URLs under the above two domains can be used for XSS attacks targeting Mozilla’s users,” Wang Jing said.
“Since there are large numbers of pages under them […] attackers can use different URLs to design XSS attacks toward Mozilla’s variety of users.”
A Proof-of-Concept video that validates the existence of an XSS flaw in Mozilla’s subdomains has also been published.
Even if the exploitability of the flaw is very low, if one attacker exploits it, he may cause great damage as the content of the two sub-domains (lxr.mozilla.org and mxr.mozilla.org) varies from source codes to extensions and toolbars.
Spear-phishing qualifies for the most likely scenario where the attacker finds a developer with write permissions to some important Mozilla components and makes him (nr. the developer) click on a link that appears to be legitimate and from Mozilla. From here on, he can steal cookies, personal data, authentication credentials and browser history.
With the developer’s credentials or cookies, the attacker can authenticate as him or hijack his session and inject code into one of Mozillaâ€™s components to target more users, such as browser users. Now this is how things can turn bad if one attacker uses social-engineering or spear-phishing to steal cookies or credentials.