javascript - Is calling a method of `unsafeWindow` in GM script with privileges a vulnerable practice? -

javascript - Is calling a method of `unsafeWindow` in GM script with privileges a vulnerable practice? -

- July 15, 2012

i have script like

// ==userscript== // @grant       gm_getvalue // @grant       gm_setvalue // @include     * // @run-at      document-start // ==/userscript==  var foo = gm_getvalue('foo'); var _open = unsafewindow.open; unsafewindow.open = function(){    if( /* */ ){       _open();    }    settimeout(function() {         gm_setvalue('bar', 'bar');     }, 0); }

maybe malicious site could

add getter window.open execute malicious code when var _open = unsafewindow.open
add setter window.open execute malicious code when unsafewindow.open = /*...*/
replace window.open malicious function, execute when use _open()

could way malicious site gain privileges use gm_getvalue or gm_setvalue, or variables defined in script (like foo)?

Comments