Website injecting and executing javascript inside url bar.

Bug reports and enhancement requests
Post Reply
Synchronicity
Posts: 1
Joined: Sun Jan 29, 2017 9:27 am

Website injecting and executing javascript inside url bar.

Post by Synchronicity »

Came across this problematic JavaScript code on a certain website:

http://pastebin.com/sMsYxL3s

From what I can tell, it's some kind of obfuscated fingerprinting script that, upon execution, generates a fingerprint hash and executes the following code on a new page:

Code: Select all

javascript:window.opener=null;setTimeout(function(){window.location.href='http://onderlea.info/*insert_encoded_fingerprint_hash*'},250)
I realize that NoScript prevents people from running "javascript:" urls, but it doesn't completely disable this behavior. It can be bypassed via bookmarks, etc.

Is there any way we could perhaps add a means to completely disable this behavior? I personally don't see any legitimate reason for this behavior outside of development, especially if it originates from a remote website.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Top
barbaz
Senior Member
Posts: 11108
Joined: Sat Aug 03, 2013 5:45 pm

Re: Website injecting and executing javascript inside url ba

Post by barbaz »

Just block it in uBlock Origin or similar -

Code: Select all

|javascript:$popup
*Always* check the changelogs BEFORE updating that important software!
-
Top
Post Reply

Return to “NoScript Development”