|
|
|
|
|
|
by AgentME
3526 days ago
|
|
|
The issue with Angular in extensions has to do with the fact it uses eval on the page DOM, which is controlled by the webpage. The webpage can put code into the DOM, and then let Angular execute it from within the higher-privileged extension. Angular <1.6 had a sandbox feature which blacklisted specific attacks like this, but was not a general solution and was specifically not intended as a security feature. They entirely removed the sandbox in 1.6 because people kept thinking it was a security feature: http://angularjs.blogspot.com/2016/09/angular-16-expression-... I'm not going to fault someone for not reporting a specific vulnerability with a specifically not-security feature that has already been removed. |
|
|