CVE-2020-15664 in Firefox
Summary
by MITRE • 10/04/2020
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/15/2020
This vulnerability represents a sophisticated browser security flaw that exploited a cross-origin scripting weakness in Mozilla Firefox and Thunderbird applications. The issue stemmed from how the browser handled references to the eval() function within about:blank windows, creating an unexpected pathway for malicious actors to access privileged objects. The vulnerability specifically targeted the InstallTrigger object, which serves as a legitimate mechanism for web pages to prompt users to install browser extensions. When a malicious webpage maintained a reference to eval() from an about:blank context, it could effectively bypass normal security restrictions that should prevent such access.
The technical exploitation occurred through a combination of JavaScript sandbox bypass techniques and cross-origin object access patterns. The about:blank window context created a unique environment where certain security boundaries were relaxed, allowing the malicious code to obtain references to objects that should normally be restricted to specific origins or contexts. This particular flaw leveraged the way Firefox handled JavaScript execution contexts and object references across different window origins. The vulnerability was particularly dangerous because it could be combined with social engineering tactics to trick users into installing malicious extensions, making it a prime example of a user-interaction dependent exploit.
The operational impact of this vulnerability was significant for organizations and individual users relying on affected versions of Mozilla products. Attackers could potentially install malicious browser extensions without user consent, which could lead to persistent malware infections, data exfiltration, or further exploitation of the compromised system. The vulnerability affected multiple product lines including Firefox desktop browsers, Thunderbird email clients, and Firefox for Android, creating a wide attack surface. The fact that it affected both regular releases and extended support releases meant that organizations running older versions were particularly vulnerable, as these typically receive security updates for extended periods.
Security researchers classified this vulnerability under CWE-264, which covers permissions, privileges, and access control issues, and it aligns with ATT&CK techniques involving privilege escalation and persistence mechanisms. The exploit required minimal user interaction beyond the initial page load, making it particularly dangerous in phishing scenarios where users might be tricked into clicking through the extension installation prompts. Organizations should have immediately updated to the patched versions, as the vulnerability could be exploited through standard web browsing activities without requiring any special prerequisites or user actions beyond visiting a malicious website.
Mitigation strategies included immediate deployment of security patches for all affected versions, implementation of web application firewalls to detect and block malicious content, and user education regarding extension installation prompts. The fix involved tightening the security boundaries around the eval() function references and ensuring proper object access controls between different window contexts. Security teams should have monitored for exploitation attempts through network traffic analysis and browser security logs, as the vulnerability would have generated specific patterns of cross-origin object access that could be detected by security monitoring systems.