Mozilla has roll-out protective measures in the Firefox web browser to avoid software injection attacks by eliminating evalual()-like functions and inline scripts.
“A proven way of combating software injection attacks is by increasing the surface of the attack by eliminating potentially dangerous objects from the codebase and thereby hardening the code at various levels,” Mozilla’s security team told today.
“We’ve added occurrences of inline scripts and disabled eval()-like functions in order to make Firefox robust against such software injection attacks.”
Removal of inline scripts
Execution of functions to deactivate evalual () functions
“This execution scheme allows to execute software created at runtime or stored in non-script places, like the Document-Object Model (DOM), as Mozilla provides additional data about the dev web docs,” eval() is a dangerous feature which executes the code it transfers with caller privileges.
Coding without eval()
Runtime statements have also been introduced to Firefox’s codebase, a move designed to deprive system-privileged script meaning of assessment() like features.
Mozilla also noticed calls to eval() outside Firefox while it removed all eval() like features. For example, users of Firefox would include eval() functions in custom files like userChrome.js to configure Firefox at runtime.
Runtime checks by the Mozilla Security Team showed that users included evaluations in some of these customization files. To allow users to adapt their experience to Firefox, Mozilla says the app will remove “blocking mechanisms and allow for use of evalual().” “With this in mind, our implemented eval() assertions will continue to notify Mozilla Security Team about the unknown instances of eval().