Earlier today I was browsing Wikipedia article “Red vs Blue (season 4)” on my phone and later tried to access it on my Firefox browser. Because I use Firefox sync with my phone and PC, I tried to enter the article trough my browsing history. However, when I tried accesing the page, it opened normally but Noscript gave a XSS warning.
This is what console gave (some parts being translated from finnish to english:
Warning: NetUtil.asyncFetch() requires the channel to have one of the security flags set in the loadinfo (see nsILoadInfo). Please create channel using NetUtil.newChannel()[NoScript InjectionChecker] JavaScript Injection in ///wiki/Red_vs._Blue_(season_4)#688250164686641735
(function anonymous() {
wiki/Red_vs._Blue_(season_4) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Filtered suspicious request. Original URL [https://en.m.wikipedia.org/wiki/Red_vs._Blue_(season_4)#688250164686641735] requested from [chrome://browser/content/browser.xul]. Filtered URL: [https://en.m.wikipedia.org/wiki/Red_vs._Blue_%20season_4%20#07212695290159243714].
Warning: NetUtil.asyncFetch() requires the channel to have one of the security flags set in the loadinfo (see nsILoadInfo). Please create channel using NetUtil.newChannel()
The thing I’m wondering is the big chunck of numbers after hashtag displayed at the end of URL, since it nor XSS alert doesn’t appear when trying to enter the article from inside Wikipedia itself. Could this be something relating to Noscript reacting falsely to some Wikipedia redirect commands?
crypto-report:
Certificate is not installed correctly
text-lb.esams.wikimeThis is notdia.org
Please contact the Certificate Authority for further verification.
You have 2 errors
RSA wrong certificate installed.
The domain name does not match the certificate common name or SAN.
ECC wrong certificate installed.
The domain name does not match the certificate common name or SAN.
Little update; I ran into this issue with another article, “Red vs Blue (season 3)” and the issue seems to follow this pattern: I visit an article with mobile Firefox, and it gets synced to my desktop Firefox’s browsing history, but as a mobile version of the article with URL “en.m.wikipedia.org”, and visiting the mobile version found in my browser history triggers the Noscript XSS alert, giving the exact same console info as in my original post, with only number in article name being different, and also hashtag and long line of numbers being added into article URL. One thing that catched my eye was in console quote in my OP where Noscript seemingly replaced parenthesises with other icons, though I’m not at all sure about them relating to this issue, since it doesn’t seem to trigger with articles like “Overwatch (video game)”.
I just got a response from Wikipedia information team:
Thank you for getting into contact regarding this - I'll begin to look into this, and try to confirm if it is just Noscript reacting badly or indeed a legitimate concern.
If this does seem legitimate or I cannot confirm either way, this query will be passed to our internal security team.
Issue has to do with automated script detection. Preferably use a prefilter to be more specific (only crossDomain) (c).
Mitigate possible XSS vulnerability …see below: 1. DOM-XSS vuln etc. //
a Good: disable javascript detection globally. //
b Acceptable: disable text to javascript promotion (but will break intended manual conversions)
c.Preferred: use a prefilter to be more specific (only crossDomain) Info credits go to jauburg on jquery code on the github platform, thanks where thanks due
