Saturday, 4 March 2017

Firefox Webconsole allows arbitrary code to execute.

Lets do this....

Steps to Reproduce :

1. Open New Tab
2. Ctrl+Shft+K to open a console.
3. Run the following code on the Console


'about:newtab' is considered a chrome privileged page, injecting code within such a context would result in automatic RCE.

Video POC :

Bug Reported by : Dhiraj Mishra