“We also encountered calls to eval() outside of our codebase”
Mozilla has removed what it calls ‘dangerous artifacts’ from its codebase in order to harden Firefox’s defences against code injection attacks.
When the Firefox browser is installed it also comes with a host of built-in pages that give users access to functions and information such as network details, downloads, plug-ins, memory and performance data.
In a security blog Mozilla expressed concern that “if an attacker manages to inject code into such an about: page, it potentially allows an attacker to execute the injected script code in the security context of the browser itself, hence allowing the attacker to perform arbitrary actions on the behalf of the user.”
Having the possibility for this type of arbitrary code execution is a security risk. Removing the inline script from all of the about:pages reduces the attack surface on show to threat actors and forces them to try to exploit the browser in order more complicated methods.
Mozilla Security Removes eval() Functions
In order to minimise the risk to users from hackers exploiting this function in the platforms codebase; the security team at Firefox have rewritten important security sections of ‘eval()’-like functions. They have also added ‘assertions’ which operate at runtime and check the condition of script and will disallow the use of eval() functions.
In what they describe as ‘unexpectedly’ the security team discovered that their platform was receiving calls to execute eval() functions from outside of its codebase.
“After that mechanism was removed, users found a way to accomplish the same thing through a few other unintended tricks. Unfortunately we have no control of what users put in these customization files, but our runtime checks confirmed that in a few rare cases it included eval. When we detect that the user has enabled such tricks, we will disable our blocking mechanism and allow usage of eval().”
The Mozilla security team says that they will continue to audit the platform moving forward in order to build in harden Firefox’s overall security.