Details on the resolved Adblock Plus for Chrome security issue · 2011-08-17 12:55 by Wladimir Palant
Adblock Plus 1.1.4 for Google Chrome has been released today and fixes a minor security issue. This blog post provides some details.
Affected: Adblock Plus 1.1.3 for Google Chrome and below
Issue: Unsafe processing of website data might facilitate cross-site scripting attacks on websites.
Reporter: Nicholas Carlini (UC Berkley)
Adblock Plus inherited this flaw from the AdThwart project, it is a classical mistake of using
innerHTML without properly sanitizing the data. This issue didn’t go unnoticed after project handover but was deemed not security relevant as it appeared that it would not allow the website to do anything it couldn’t already. Given that the surrounding code suffers from a number of other issues this bug had to be fixed in a general rewrite that didn’t happen so far.
Nicholas Carlini contacted me about this issue on August 7th and explained how this bug can still be security relevant if the website contains third-party content. I was able to confirm the issue on August 10th. A fix was implemented on the same day.
Commenting is closed for this article.