Dark Reader Cross-Origin Stylesheet Request Vulnerability

A vulnerability in the Dark Reader browser extension, prior to version 4.9.117, allowed websites to request stylesheets from a user's local web server. This was possible if the stylesheet's URL was known and the server responded with a 'text/css' content type. The issue arose because Dark Reader's dynamic dark mode feature analyzed cross-origin stylesheets by fetching them via a background worker, without credentials, and then parsed the styles for use in the extension. The fetched styles were also stored in the page's Session Storage for performance reasons. As a result, a website could potentially exploit this behavior to access local resources, such as stylesheets hosted on 'localhost'.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local resources by a website, allowing the site to read stylesheets from a locally running web server.

Remediation

Users should update to Dark Reader version 4.9.117 or later. Most users will receive this update automatically, but those using manual builds must upgrade to version 4.9.118 or above. Developers using the 'darkreader' NPM package for website integration are not affected, but should ensure that cross-origin requests are properly scoped. Those using custom forks of Dark Reader must review their implementation to secure cross-origin requests.