Modal mode allows bypassing pop-up blocker

[palant]

Note: I am aware that modal mode is currently disabled, I had to change extension settings manually in order to enable it. It could be re-enabled at some point in future however, and this security issue needs to be addressed prior to that. Also, modal mode might still be enabled for users who installed the extension before it was disabled.

The following code is problematic:

https://github.com/itsecurityco/to-google-translate/blob/000179793db479a1f8330a774c4c0a489a76c482/src/content/modal.js#L96-L99

This opens the URL currently loaded into the frame in a new tab. That URL might have been manipulated by the webpage however. For example, when the modal is open, the following code allows the webpage to open example.com in a new tab at will, completely bypassing pop-up blocker and any additional checks (e.g. when page is loaded into a sandboxed frame without pop-ups permission):

document.body.lastChild.shadowRoot.querySelector("iframe").src = "https://example.com/";
document.body.lastChild.shadowRoot.querySelector(".new-tab").click();

Note that once the modal is open, there is nothing preventing the website from holding on to the element and using it to open further pop-ups even after is has been “closed.”

Recommendations:

• Always open this.url in the new tab, regardless of what is currently loaded in that frame.
• When handling events, make sure to check event.isTrusted so that website-generated events don’t trigger any actions.
• When creating the shadow root, it might be a good idea to pass {mode: "closed"} in order to prevent website scripts from messing with your content.