Xiaomi Execute Arbitrary JavaScript
I’m glad you’re here. Please have fun reading (nmochea).
In this writeup, I’ll tell you how I was able to Execute Arbitrary JavaScript in Xiaomi Browser using HTML Injection.
Description
Due to lack of HTML Sanitization, It’s possible to Inject Malicious Iframe tag in Readmode and Execute Arbitrary JavaScript code.
I look the Browser file:///android_asset/readmode/Readability.js source code the HTML and JavaScript have sanitization, however after I read the java source code in readmode activity and reading_mode_html_internal.js source code.
I found out that I have a chance to use HTML payload without passing through sanitization inside <title> tag.
In com.android.browser.readmode.e.java snippet code

In file:///android_asset/readmode/reading_mode_html_internal.js snippet code

After getting the HTML <title> tag to the string, it will not pass through sanitization.
Step to Reproduce
- Create malware_frame.html file with following content

- Create poc.html file with following content

- Run local server localhost:8080
- In browser, open the following url http://localhost:8080/poc.html
- The JavaScript from malware_frame.html executed immediately after Readmode ON
Vulnerability Disclosure
April 30, 2021 – I reported it on HackerOne Platform regarding this vulnerability issue.
May 8, 2021 – My report has been triaged.
May 17, 2021 – Vulnerability has been fixed and got bounty.
Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.