chrome://braveis available for navigation
<local_file_path> requires local file at
The file loaded in this context has access to private Muon APIs such as
Muon API allows executing code on the device. (e.g. with
> In addition, Brave isn't sandboxed (on all OS).
That's clearly a vulnerability, not a feature: 1. it's in Release channel, not in Debug builds 2. Could lead to RCE
> Note: attacker knows the correct
<local_file_path> after loading the file from
file:// origin (
I've already shown the way to navigate to
file:// URLs in #369218, which was fixed in 0.23.80.
> I mentioned in the report that it's possible navigating to
chrome:// URLs too in #369218. However, the fix was incomplete. It only works for
Brave: 0.23.79 (0.23.80 and 0.23.100 too, where #369218 is patched) V8: 6.8.275.24 rev: 51b49051a779f0db94fbcfd0df5faca781299ea0 Muon: 8.0.7 OS Release: 17.7.0 Update Channel: Release OS Architecture: x64 OS Platform: macOS Node.js: 7.9.0 Brave Sync: v1.4.2 libchromiumcontent: 68.0.3440.84
Preventing navigation to
chrome://brave origin seems ok.
Crafted HTML file allows executing code on the device.
> Requires user gesture - "Open in a new tab". Set impact to "High", because requires downloading the file.