Security Experts:

Connect with us

Hi, what are you looking for?



Mozilla Hardens Firefox Against Injection Attacks

Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.

Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.

The first codebase change impacts the built-in about:pages that Firefox ships with, and which were designed to provide an interface to the internal state of the browser. about:config is the best known of them, designed to help Firefox users customize the browser. 

Given that these about: pages are implemented using HTML and JavaScript, they are prone to the same vulnerabilities as regular web pages, and are not safe from code injection attacks either. 

Thus, if an attacker can inject code into an about: page, they can potentially execute the code in the security context of the browser itself, ultimately being able to perform arbitrary actions on the behalf of the user.

Now, Mozilla says they rewrote all inline event handlers and moved all inline JavaScript code to packaged files for all of the 45 about: pages in Firefox. 

The result was the ability to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:,’ which prevents injected JavaScript code from executing. 

“Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla content security tech lead Christoph Kerschbaumer explains. 

The second change in Firefox impacts the JavaScript function eval(), which parses and executes an arbitrary string in the same security context as itself. While it allows for the execution of runtime-generated code and that of code stored in non-script locations, it also introduces attack surface for code injection.

“To further minimize the attack surface in Firefox and discourage the use of eval() we rewrote all use of ‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of ‘eval()’ and its relatives in system-privileged script contexts,” Kerschbaumer notes. 

While making these changes, Mozilla also discovered that there were some calls to eval() outside of their codebase, due to an older mechanism that allowed users to execute their own JavaScript in the context of the browser. 

The feature was meant for customizations at startup time, but is now considered a security risk. The mechanism has been removed, but users started using some other tricks to achieve the same customizations, including the use of eval. Thus, Firefox will disable the blocking mechanism and allow usage of eval() when such tricks are detected. 

The eval() assertions will continue to inform the Mozilla Security Team of unknown instances of eval(), which will be closely audited and evaluated, and possibly restricted as the Firefox Security Landscape is hardened. 

Related: DNS-over-HTTPS Coming to Firefox

Related: Firefox Update to Address Antivirus TLS Errors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet