Title:

NoScript Bypass

Release Date:

June 20, 2015

Patch Date:

June 19, 2015

Reported Date:

June 17, 2015

Vendor:

Giorgio Maone/NoScript

Systems Affected:

Affected all systems with NoScript version < 2.6.9.27.

Summary:

Due an expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible to bypass the protection offered by the add-on by registering the expired domain name.

Vendor Status:

An update has been released that fixed this issue as of June 19, 2015.

Exploit Availability:

Because of the expired domain of vjs.zendcdn.net in the default whitelist for NoScript, it is possible for a malicious user to bypass the protection offered by the add-on by registering the expired domain name. Since the add-on explicitly trusted this domain, a malicious user could host malicious payloads on vjz.zendcdn.net that execute JavaScript despite NoScript being enabled. To prevent this attack, the domain was registered and redirected to 127.0.0.1.

Researcher(s):

Matt Bryant of Bishop Fox