Can you explain this vulnerability to me?

This vulnerability exists in the Zen Browser versions 1.19.11b and earlier. The browser validates the main RSS feed URLs to ensure they use only http: or https: schemes, but it does not apply the same restriction to the URLs of individual RSS feed items.

These item URLs are later used to create trusted tabs via the function gBrowser.addTrustedTab(item.url, ...). Because the item URLs are not restricted, non-web schemes such as javascript:, data:, file:, about:, or chrome: can be loaded as trusted tabs.

An attacker could exploit this by tricking a user into adding an RSS live folder that points to a malicious or compromised feed containing an item with a non-web URL. When the user interacts with that feed item, the browser may create a trusted tab that attempts to load the unsafe URL, potentially leading to unintended behavior or security risks.

The vulnerability is considered low severity (CVSS score 2.4) because it requires user interaction and high privileges, but it bypasses intended security boundaries by allowing untrusted feed content to influence trusted tab creation.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by allowing malicious or unsafe URLs from RSS feed items to be opened as trusted tabs in the Zen Browser.

If an attacker convinces you to add a malicious RSS live folder, interacting with the feed items could cause the browser to load unsafe schemes like javascript:, data:, or file: URLs in trusted tabs.

This could lead to unintended behavior or security risks depending on how the browser handles these schemes, potentially exposing you to attacks such as code execution or data exposure within the browser context.

However, the impact is limited by the requirement for user interaction and high privileges, which reduces the overall severity.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the Zen Browser creating trusted tabs from RSS/Atom feed item URLs that are not restricted to http: or https: schemes. Detection involves identifying if any RSS live folders or feeds contain item URLs with non-web schemes such as javascript:, data:, file:, about:, or chrome:.

To detect this on your system or network, you can monitor or inspect RSS feed URLs and their items for suspicious or non-web URL schemes before they are processed by the browser.

Suggested commands or approaches include:

• Extract and analyze RSS feed XML files or network traffic to identify item URLs with schemes other than http or https.
• Use network monitoring tools (e.g., Wireshark, tcpdump) to capture RSS feed requests and inspect the item URLs.
• Search local browser data or configuration files for RSS live folder URLs and parse their contents for unsafe schemes.
• Example command to find suspicious URLs in an RSS feed XML file: grep -Eo '(javascript|data|file|about|chrome):[^"\s]+' feed.xml

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to update the Zen Browser to version 1.19.12b or later, where the vulnerability is fixed by validating all RSS/Atom item URLs to allow only http: or https: schemes before creating trusted tabs.

Until the update can be applied, users should avoid adding or interacting with RSS live folders or feeds from untrusted or unknown sources, especially those that might contain malicious or non-web scheme URLs.

Additionally, exercising caution with user interaction is important since the vulnerability requires user action to trigger.

Useful 0 Not Useful 0