[iOS] URL can be replaceState by blob URL in iOS Brave

Disclosed: 2017-08-10 05:08:59 By xifengweiyu To brave
Low
Vulnerability Details
## Summary: URL can be replace by blob URL using function history.replaceState() ## Products affected: iOS brave version 1.3.1(17.02.14.11) ## Steps To Reproduce: - Add a html named "blob.html" which link is "http://192.168.1.111/blob.html" - And its source is: ``` <script> history.replaceState('','','blob:http://192.168.1.111/xxxx') </script> ``` - then visit this page,you will find that URL has been replace by blob URL successfully!
Actions
View on HackerOne
Report Stats
  • Report ID: 215044
  • State: Closed
  • Substate: resolved
  • Upvotes: 6
Share this report