DuckDuckGo has fixed a universal cross-site scripting (uXSS )vulnerability in popular browser extensions for Google Chrome and Mozilla Firefox.
The vulnerability could block hidden trackers and offers private browsing features. It could lead uXSS on the victim’s device that arbitrary code could be executed on any domain, says researcher Wladimir Palant.
However, the vulnerability has been patched in Chrome and Mozilla Firefox, but no update has been issued for other browsers such as Microsoft Edge.
Palant, in his blog, said that this security flaw could enable malicious actors to spy on all websites that the user is visiting.
He wrote: “Now how agentSpoofer.getAgent() is inserted into this script without any escaping or sanitization. Is that data trusted?”.
Palant told The Daily Swig: “The attackers can spy in anything the users do in their browser, they can manipulate displayed information, take over accounts, impersonate the user.”