Zen Browser RSS Feed URL Validation Vulnerability Allowing Non-Web Item Links

A vulnerability exists in Zen Browser versions through 1.19.11b, where RSS feed item links are not properly validated for web schemes before being used to create trusted tabs. This issue allows an attacker to manipulate tab creation with non-web URLs, potentially leading to unintended navigation behaviors. The vulnerability arises because only the feed URL is validated, leaving item links open to exploitation.

Impact

Exploitation of this vulnerability could result in the creation of pinned lazy tabs that attempt to load non-web URLs, bypassing the intended trust boundaries and potentially causing undesired navigation actions.

Reproduction

To reproduce this vulnerability, add an RSS live folder that points to an attacker-controlled feed containing a recent item link with a non-web scheme. The browser will not filter out the invalid URL before it is used to create a pinned lazy tab, which will then attempt to load the non-web link when activated.

Remediation

Users can update to Zen Browser version 1.19.12b or later, where this vulnerability has been fixed.