Skip to content

RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation

Low
mr-cheffy published GHSA-cc9c-mmmf-c5j6 May 8, 2026

Package

No package listed

Affected versions

<= 1.19.11b

Patched versions

>= 1.19.12b

Description

RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...).

Impact:

An attacker-controlled or compromised feed can influence browser tab creation with non-web item URLs. The final severity depends on how the runtime handles each scheme when lazy trusted tabs are restored or selected, but the current trust boundary allows untrusted feed content to choose navigation targets that should be limited to ordinary web URLs.

Preconditions:

  • The user adds an RSS live folder pointing to an attacker-controlled or compromised feed.
  • The feed contains a valid recent item with a non-http/https link.

Non-destructive validation:

  1. Use a disposable Zen profile.
  2. Serve a local RSS/Atom feed over http://127.0.0.1.
  3. Include one recent item whose link uses a non-web scheme.
  4. Add the local feed as an RSS live folder.
  5. Confirm whether the item survives provider filtering.
  6. Confirm whether the created pinned lazy tab preserves and attempts to load the non-web URL when activated.

Expected result:

The provider should reject or drop non-http/https item links before they reach tab creation.

Observed source behavior:

The source code only validates the top-level feed URL, not individual item links.

Recommended fix:

  • Validate every RSS/Atom item URL with new URL.
  • Allow only http: and https: item links.
  • Add a second allowlist check in ZenLiveFoldersManager before addTrustedTab.
  • Add regression tests covering javascript:, data:, file:, about:, chrome:, invalid URLs, and normal https: links.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2026-44658

Weaknesses

No CWEs

Credits