Xiaomi Execute Arbitrary JavaScript


Due to lack of HTML Sanitization, It’s possible to Inject Malicious Iframe tag in Readmode and Execute Arbitrary JavaScript code.

Step to Reproduce

  • Create malware_frame.html file with following content
  • Create poc.html file with following content
  • Run local server localhost:8080
  • In browser, open the following url http://localhost:8080/poc.html
  • The JavaScript from malware_frame.html executed immediately after Readmode ON

Disclosure Timeline

  • April 30, 2021 — I reported it on HackerOne Platform regarding this vulnerability issue.
  • May 8, 2021 — My report has been triaged.
  • May 17, 2021 — Vulnerability has been fixed and got bounty.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store