Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.
The first codebase change impacts the built-in about:pages that Firefox ships with, and which were designed to provide an interface to the internal state of the browser. about:config is the best known of them, designed to help Firefox users customize the browser.
Thus, if an attacker can inject code into an about: page, they can potentially execute the code in the security context of the browser itself, ultimately being able to perform arbitrary actions on the behalf of the user.
“To further minimize the attack surface in Firefox and discourage the use of eval() we rewrote all use of ‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of ‘eval()’ and its relatives in system-privileged script contexts,” Kerschbaumer notes.
The feature was meant for customizations at startup time, but is now considered a security risk. The mechanism has been removed, but users started using some other tricks to achieve the same customizations, including the use of eval. Thus, Firefox will disable the blocking mechanism and allow usage of eval() when such tricks are detected.
The eval() assertions will continue to inform the Mozilla Security Team of unknown instances of eval(), which will be closely audited and evaluated, and possibly restricted as the Firefox Security Landscape is hardened.
Related: DNS-over-HTTPS Coming to Firefox