[statusfailed]

Seems bad. "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."

See:

- NVD page for CVE-2024-9680: https://nvd.nist.gov/vuln/detail/CVE-2024-9680

- Mozilla security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-5...

[btdmaster]

Ticket in Tor Browser: https://gitlab.torproject.org/tpo/applications/tor-browser/-...

It seems to be JavaScript-free from the description, which makes it even scarier. Imagine the libwebp decoder bug except embedded media blocking doesn't really work (who blocks CSS?).

[mrob]

I block CSS animations:

https://news.ycombinator.com/item?id=33223080

I'd be interested to know if it's sufficient to avoid this recent vulnerability. Either way, it confirms my opinion that UI animations are an anti-feature.

[schiffern]

As a uBlock Origin filter (paste in Settings > My Filters):

  ! No CSS animations
  ##*,::before,::after:style(transition:none !important;animation-delay:0ms !important;animation-duration:0ms !important)
  
  ! No CSS animations (different method)
  ##*,::before,::after:style(animation-timing-function:step-start !important;transition-timing-function:step-start !important)

There's other (often perf heavy) CSS clutter that's nice to get rid of:

  ! No image filters
  ##*,::before,::after:style(filter:none !important)
  
  ! No text-shadow
  ##*,::before,::after:style(text-shadow:none !important)
  
  ! No box-shadow
  ##*,::before,::after:style(box-shadow:none !important)

  ! No rounded corners
  ##*,::before,::after:style(border-radius:0px !important)

No rounded corners is fun. You realize many loading spinners are actually CSS rounded corners! Youtube becomes almost unrecognizable — mercifully — especially if you also revert the new TikTok-inspired font:

  ! Un-bold Youtube
  youtube.com##*:style(font-weight:400 !important)

[krackers]

Firefox doesn't seem to support css animation-timeline, I think this refers to the JS AnimationTimeline API? In that case "dom.animations-api.timelines.enabled" flag should control it.

[tomrittervg]

The vulnerability did require JavaScript to trigger.

I think it would be a labor of love and craftsmanship to exploit a content process today without using JavaScript.

[jjuran]

> The vulnerability did require JavaScript to trigger.

Can you back this up with a citation?

[a_vanderbilt]

He works (or recently worked) for Mozilla on security-related projects. The code commit fixing the issue was isolated to the /dom/ directory in the source tree, and Firefox does not support CSS Animation Timelines. The Animation Timelines code is not directly accessed by web devs, and it appears the only way to execute that code is via the JS API for Animation Timelines. I'm not a web security expert, but the signs seem to point to him being correct.

Once again, JS proves to be a security risk.

[tempaccount420]

Is this karma for dropping Rust? (please don't explain how Rust actually wouldn't fix this)