HTML injection in homescreen app bypassing DOM sanitizer — Mozilla

Mozilla fixed a bug in the l10n localization of the default homescreen app of Firefox OS reported by security researcher Muneaki Nishimura. Exploiting this issue requires tricking the user into bookmarking a specially crafted web page via the ‘Add to home screen’ functionality. As a result, an iframe controlled by the attacker would be executed with homescreen privileges, potentially leading to further system compromise.