Maxthon3 Cross Context Scripting Vulnerability in about:history Page Allowing Remote Code Execution

A cross context scripting vulnerability has been identified in Maxthon3 versions prior to 3.3. This issue arises in the about:history page, where the browser's trusted zone improperly manages injected script content. This flaw allows attackers to execute arbitrary JavaScript in a privileged context, enabling them to modify browser settings and execute arbitrary code through Maxthon's DOM APIs, such as maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation of this vulnerability requires user interaction, typically by visiting a malicious webpage that triggers the injection.

Impact

Successful exploitation allows remote attackers to execute arbitrary script code in the context of the privileged browser zone, potentially leading to unauthorized modification of browser settings or execution of arbitrary commands on the user's system.

Reproduction

The vulnerability can be reproduced by injecting JavaScript or HTML into the about:history page via the location.hash property of a malicious webpage. Once the injection is successful, the about:history page can be accessed, executing the injected script in the trusted zone. This exploitation can be automated with a Metasploit module that handles the injection and execution process.

Remediation

No official patch is available. Users are advised to avoid using Maxthon browser.