This advisory is a courtesy advisory for downstream users of the Firefox Profiler software, i.e. for maintainers of forks of the profiler, and for maintainers of custom / internal deployments of the profiler. There is no security impact for users of the official deployment of the Firefox Profiler at https://profiler.firefox.com/.
The actual impact of this issue for each downstream deployment depends on the specifics of that deployment, in particular on the CSP that the profiler is served with, and on what information is accessible by code running within the profiler. Downstream maintainers are encouraged to create their own advisories with accurate impact descriptions.
Impact
A Stored XSS vulnerability was found in the handling of the sourceURL value in the profile data. When displaying an attacker-controlled profile file containing a javascript: sourceURL value, the Firefox Profiler would create a "Build ID" link in the Profile Info panel (visible at the top right of the Profiler UI) with this attacker-controlled URL. On deployments of the profiler without an effective CSP, clicking this link would execute the attacker-controlled code in the javascript: URL.
Users of profiler.firefox.com are not impacted because this deployment of the Firefox Profiler uses a CSP which blocks the attack.
Users of other deployments of the Firefox Profiler, e.g. of company-internal deployments or of Firefox profiler forks, may be affected if those deployments do not use an effective CSP which disallows javascript URLs.
If such deployments exist, until these deployments are updated with the fix, users of them are asked to carefully look at the link target on the revision value (the Build ID line) in the Profile Info panel before clicking on it. The link target will always show up as a tooltip.
Patches
The problem has been patched and the new version has been deployed to https://profiler.firefox.com. We encourage all deployments of the Firefox Profiler or of its forks to update their server with the patch in PR #5454.
References
#5454
Credits
Thank you Islam Rzayev (github: @parantheses, HackerOne: parantheses) for reporting the issue to us.
parantheses Reporter
This advisory is a courtesy advisory for downstream users of the Firefox Profiler software, i.e. for maintainers of forks of the profiler, and for maintainers of custom / internal deployments of the profiler. There is no security impact for users of the official deployment of the Firefox Profiler at https://profiler.firefox.com/.
The actual impact of this issue for each downstream deployment depends on the specifics of that deployment, in particular on the CSP that the profiler is served with, and on what information is accessible by code running within the profiler. Downstream maintainers are encouraged to create their own advisories with accurate impact descriptions.
Impact
A Stored XSS vulnerability was found in the handling of the
sourceURLvalue in the profile data. When displaying an attacker-controlled profile file containing ajavascript:sourceURL value, the Firefox Profiler would create a "Build ID" link in the Profile Info panel (visible at the top right of the Profiler UI) with this attacker-controlled URL. On deployments of the profiler without an effective CSP, clicking this link would execute the attacker-controlled code in thejavascript:URL.Users of profiler.firefox.com are not impacted because this deployment of the Firefox Profiler uses a CSP which blocks the attack.
Users of other deployments of the Firefox Profiler, e.g. of company-internal deployments or of Firefox profiler forks, may be affected if those deployments do not use an effective CSP which disallows javascript URLs.
If such deployments exist, until these deployments are updated with the fix, users of them are asked to carefully look at the link target on the revision value (the Build ID line) in the Profile Info panel before clicking on it. The link target will always show up as a tooltip.
Patches
The problem has been patched and the new version has been deployed to https://profiler.firefox.com. We encourage all deployments of the Firefox Profiler or of its forks to update their server with the patch in PR #5454.
References
#5454
Credits
Thank you Islam Rzayev (github: @parantheses, HackerOne: parantheses) for reporting the issue to us.