Infinite JS Warning Popups - How to crash TB through NoScript

Ask for help about NoScript, no registration needed to post
aliphapet
Posts: 1
Joined: Mon Aug 16, 2021 1:18 pm

Infinite JS Warning Popups - How to crash TB through NoScript

Post by aliphapet » Mon Aug 16, 2021 1:23 pm

Hi There,

You can see full details reported to TorProject:

https://gitlab.torproject.org/tpo/appli ... sues/40596

ThX!
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

User avatar
therube
Ambassador
Posts: 7714
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by therube » Wed Aug 18, 2021 4:11 pm

(I'll just note that in FF [not Tor] 78ESR & 91, I can get high CPU [that does subside after a bit], but I don't see XSS nor do I crash.
Win7 x64.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.10

User avatar
Giorgio Maone
Site Admin
Posts: 9143
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by Giorgio Maone » Wed Aug 18, 2021 9:44 pm

I can see what's happening there: the page has 152 <noscript> elements, 56 of which contain distinct Youtube iframes which get therefore scanned for XSS attempts all together, DOSing the browser.

If you either disable the noscript capability for 3mdeb.com or the frame capability for youtube.com the page should load almost instantaneously with no warning.

I should probably look into some form of rate limiting or serialization of the injection checker for edge case like this.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Post Reply