Home NoScript vulnerability allows malicious scripts to run unchecked
News

NoScript vulnerability allows malicious scripts to run unchecked

Bruno Ferreira
Disclosure
Disclosure
In our content, we occasionally include affiliate links. Should you click on these links, we may earn a commission, though this incurs no additional cost to you. Your use of this website signifies your acceptance of our terms and conditions as well as our privacy policy.

Security researcher Linus Särud has uncovered a security vulnerability in the popular NoScript browser extension that could allow an attacker to run arbitrary JavaScript in a victim's browser. An exploit of this vulnerability could expose private data or lead users to download malicious software.

The attack works because NoScript has a limited whitelist of trusted domains, allowing the host browser to load commonly-used tools from certain content delivery networks like googleapis.com. This feature tries to preserve websites' functionality while simultaneously blocking any potentially malicious code.

Because the extension will implicitly trust any subdomain whose parent domain is present in the whitelist, Särud found that NoScript will trust the storage.googleapis.com subdomain, which hosts Google's Cloud Storage service. He uploaded a small test script there, which cleanly got past NoScript.

Särud built upon the work of Matthew Bryant, another security researcher, who found that the whitelist itself was stale—it contained the unused domain vjs.zendcdn.net. Bryant registered zendcdn.net for a mere $10.69, and put up a proof-of-concept script that NoScript dutifully let through.

Both Särud and Bryant contacted NoScript's author about these issues. An updated version of the extension that closes the loopholes noted above is now available, so NoScript users should update immediately.

Latest News

Netflix Will No Longer Regularly Publish Subscriber Count from 2025
News

Netflix Will No Longer Regularly Publish Subscriber Count from 2025

EU Tightens Grip On Porn Sites With Stricter Rules
News

EU Tightens Grip on Porn Sites with Stricter Rules

On Friday, the EU Commission imposed new obligations on popular porn platforms like Pornhub, Stripchat, and XVideos under the Digital Services Act (DSA). In an official statement, the Commission said...

Ethereum ETH's Potential Rebound After Hitting Target Low
Crypto News

Ethereum ETH’s Potential Rebound After Hitting Target Low

The crypto market has been experiencing a significant correction, and Ethereum (ETH) has not been left out. Following a 23% decline, Ethereum slipped off its $3,726 high on April 9...

Bitcoin (BTC) Coming Back Strong and Might Reach $200,000 Post-Halving
Crypto News

Bitcoin (BTC) Coming Back Strong and Might Reach $200,000 Post-Halving

Crypto analyst Predicts Bitcoin Consolidation and Identifies Altcoin Bottom
Crypto News

Crypto analyst Predicts Bitcoin Consolidation and Identifies Altcoin Bottom

Cardano Founder Celebrates Blockchain's Cost-Effectiveness
Crypto News

Cardano Founder Celebrates Blockchain’s Cost-Effectiveness

memecoin base blockchain
Crypto News

New Meme Coin on BASE Blockchain Has the Potential to Make Millionaires