Xiaomi Execute Arbitrary JavaScript

In this writeup, I’ll tell you how I was able to Execute Arbitrary JavaScript in Xiaomi Browser using HTML Injection.

Description

Due to lack of HTML Sanitization, It’s possible to Inject Malicious Iframe tag in Readmode and Execute Arbitrary JavaScript code.

I look the Browser file:///android_asset/readmode/Readability.js source code the HTML and JavaScript have sanitization, however after I read the java source code in readmode activity and reading_mode_html_internal.js source code.

I found out that I have a chance to use HTML payload without passing through sanitization inside <title> tag.

In com.android.browser.readmode.e.java snippet code

In file:///android_asset/readmode/reading_mode_html_internal.js snippet code

After getting the HTML <title> tag to the string, it will not pass through sanitization.

Step to Reproduce

• Create malware_frame.html file with following content

• Create poc.html file with following content

• Run local server localhost:8080
• In browser, open the following url http://localhost:8080/poc.html
• The JavaScript from malware_frame.html executed immediately after Readmode ON

Disclosure Timeline

• April 30, 2021 — I reported it on HackerOne Platform regarding this vulnerability issue.
• May 8, 2021 — My report has been triaged.
• May 17, 2021 — Vulnerability has been fixed and got bounty.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

Don’t forget to follow and connect with me through LinkedIn, and Twitter.