Protected Total WebShield Extension Cross-Site Scripting Vulnerability in Chrome

A cross-site scripting vulnerability has been identified in the Protected Total WebShield Extension for Chrome, affecting versions through 3.2.0. The issue arises in the Block Page component, where the 'category' URL parameter is not properly sanitized before being displayed. This flaw allows remote attackers to inject arbitrary HTML, including iframes, into the extension's user interface. The vulnerability requires user interaction to exploit.

Impact

Exploitation of this vulnerability allows for self-html injection, where injected content is rendered as part of the extension's UI. This could be used to load remote content, phish users, or execute scripts within the context of the extension's blocked-page interface. The vulnerability could also be combined with other extension bugs to potentially escalate privileges or execute code.

Reproduction

To reproduce this vulnerability, install the Total WebShield Chrome extension and enable it. Then, visit a URL that the extension will classify as malicious, which will trigger the block page. Next, construct a URL that includes an encoded HTML iframe in the 'category' parameter and navigate to it. The injected iframe will appear in the block page UI, rendering external content.