The web console and JavaScript debugger do not sanitize all output that can
be hyperlinked. Both will display “chrome:” links as active, clickable
hyperlinks in their output. Web sites should not be able to directly link
to internal chrome pages. Additionally, the JavaScript debugger will
display “javascript:” links, which users could be tricked into clicking by
malicious sites. This vulnerability affects Firefox < 60.