Adblock Plus filter lists may execute arbitrary code in web pages

Adblock Plus filter lists may execute arbitrary code in web pages

Considering the nature and implications of the uncovered vulnerabilities, and given that filter lists have been employed in the past for politically motivated attacks, details of the exploit chain are publicly disclosed to ensure the fastest possible propagation of upcoming mitigations in the affected browser extensions and web services. However, web services can be exploited with the help of this filter option when they use XMLHttpRequest or Fetch to download code snippets for execution, while allowing requests to arbitrary origins and hosting a server-side open redirect. The following criteria must be met for a web service to be exploitable using this method:

Filter list operators may deliver a rule update such as this:

The above rule redirects the target request to Google’s I’m Feeling Lucky search service, which then redirects to a page with the payload: .

Source: armin.dev