CVE-2023-29540

Vulnerability

A vulnerability exists in Firefox's source map handling where a redirect embedded into sourceMappingUrls can be used to navigate to external protocol links (e.g., tel:, mailto:) in sandboxed iframes lacking the allow-top-navigation-to-custom-protocols attribute [1][2]. This affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112 [1]. The browser only checks the protocol of the initial sourcemap URL, not the redirect target, allowing the bypass [2].

Exploitation

An attacker hosts a malicious source map file and a redirect script on their site, and an iframe on a victim site pointing to the attacker's redirect [2]. When the victim opens the iframe (even without user interaction), the browser fetches the sourcemap, follows the redirect to an external protocol link, and triggers the protocol handler dialog [2]. The attack does not require allow-top-navigation-to-custom-protocols and bypasses the user gesture requirement for external protocols [2].

Impact

An attacker can launch external protocol dialogs on the victim's device, which may lead to further exploitation such as making phone calls or sending messages without user consent [2]. This is particularly useful for malvertisers [2]. The impact is considered high [1].

Mitigation

Firefox 112, Firefox for Android 112, and Focus for Android 112 fix this vulnerability [1]. The fix involves preventing redirects when fetching sourcemaps or moving handling to the devtools server [2]. Users should update to the latest versions [1]. No workarounds are available for older versions.