OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • firefox
  • privacy
  • smart-window
  • exploitarium

news

Firefox Smart Window Private URL Exfiltration

Smart Window sets privateData without untrustedInput — attacker titles coerce get_page_content to fetch expanded private tab/history URL tokens.

Summary

Smart Window sets privateData without untrustedInput — attacker titles coerce get_page_content to fetch expanded private tab/history URL tokens. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetFirefox 152.0.2 x64 (Windows)
PrimitiveURL token expansion in tool args when privateData=true and untrustedInput=false
ImpactPrivate tab/history URLs (queries, tokens, reset links) leak to attacker HTTP endpoint via hidden fetch.

Attack Chain

Malicious title in tab/history → get_open_tabs/search_browsing_history → model calls get_page_content with tokenized attacker URL

Mitigation

Update Firefox; disable Smart Window in sensitive profiles; monitor for unexpected outbound fetches from browser.

Related Signals

Sources

→ Source