CVE-2016-9901 in Firefox
Summary
by MITRE
HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" (unprivileged) page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/25/2025
This vulnerability represents a critical cross-site scripting flaw in Mozilla Firefox that exploits the Pocket extension's handling of untrusted HTML content. The issue arises from insufficient input validation when processing HTML tags received from the Pocket server, creating an environment where maliciously crafted HTML can be injected into the browser's unprivileged about:pocket-saved page. The vulnerability specifically impacts Firefox Extended Support Release versions prior to 45.6 and standard Firefox versions prior to 50.1, indicating a widespread exposure across multiple browser channels. The technical flaw stems from the lack of proper sanitization mechanisms that should have been implemented to prevent the execution of arbitrary JavaScript code within the context of the Pocket extension's interface.
The operational impact of this vulnerability is severe as it allows attackers to execute malicious code within the Pocket extension's security context, potentially enabling unauthorized access to Pocket's messaging API. This HTML injection vulnerability creates a privileged escalation path where untrusted content from a remote server can be rendered with elevated privileges, effectively bypassing the normal security boundaries that separate unprivileged browser pages from extension functionality. The about:pocket-saved page, which operates in an unprivileged context, becomes a vector for code execution that could lead to data exfiltration, session hijacking, or further exploitation of the user's Pocket account. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1203 which covers exploitation for privilege escalation through web-based attacks.
The security implications extend beyond simple code execution as this vulnerability could enable attackers to manipulate Pocket's functionality, potentially leading to unauthorized content modifications or the theft of user credentials. The fact that the vulnerability affects both Firefox ESR and standard Firefox releases demonstrates the critical nature of the flaw and its potential for widespread exploitation. Organizations and users running affected versions should prioritize immediate patching to prevent exploitation, as the attack surface includes any user who has the Pocket extension installed and is browsing content that may be processed by the vulnerable extension. This vulnerability highlights the importance of input sanitization and proper content validation in browser extensions, particularly those that handle data from external sources, as it represents a classic example of how insufficient security controls in extension code can create persistent attack vectors that remain active until properly patched.