Possible side-channel information leak using IntersectionObserver

Question

Possible side-channel information leak using IntersectionObserver

bokand opened this issue 5 years ago · 3 comments

If an attacker has an iframe embedded in the victim page, they can determine some information from the victim page across origins. Using an intersection observer, the attacker can determine if the iframe intersects the viewport and use that to guess whether a followed link resolved to the text fragment.

Answer 1 · 2020-01-22T01:14:28.000Z

PoC: https://shhnjk.azurewebsites.net/check_name.html

Answer 2 · 2023-05-11T14:12:34.000Z

@shhnjk your link no longer works, but I made a new PoC: https://software.hixie.ch/utilities/js/live-dom-viewer/saved/11657

<!DOCTYPE html>
<p style="margin-bottom: 150vh">x</p>
<p>Target text</p>
<iframe src="data:text/html,<body><pre></pre><script>var io = new IntersectionObserver(entries => {
  document.body.firstChild.textContent = entries[0].isIntersecting ? 'Text fragment was scrolled to' : 'No scrolling observed';
  io.unobserve(document.body);
}); 
io.observe(document.body)</script>"></iframe>
<p style="margin-bottom: 150vh">x</p> 
<script>
location.hash = "#:~:text=Target%20text"; 
</script>

Answer 3 · 2023-05-11T14:14:04.000Z

The iframe could also use a lazy-loading image (which is implemented using IntersectionObserver).