Category Archives: advisory

Cross-site Scripting in OfA – Opera Security Advisories

CVE ID: CVE-2020-6159PRODUCT: Opera for AndroidVERSION: Below 61.0.3076.56532PROBLEM TYPE: Cross-site Scripting (CWE-79)DESCRIPTION: URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack…

Address bar spoofing in Opera Mini for Android – Opera Security Advisories

CVE ID: CVE-2020-6158PRODUCT: Opera Mini for AndroidVERSION: Below 52.2PROBLEM TYPE: Address bar spoofingDESCRIPTION: Opera Mini for Android before version 52.2 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another…

Address bar spoofing in Opera Touch for iOS – Opera Security Advisories

CVE ID: CVE-2020-6157PRODUCT: Opera Touch for iOSVERSION: Below 2.4.5PROBLEM TYPE: Address bar spoofingDESCRIPTION: Opera Touch for iOS before version 2.4.5 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another…

Bypass a restriction in OfA 54 – Opera Security Advisories

CVE ID: CVE-2019-19788PRODUCT: Opera for AndroidVERSION: Below 54.0.2669.49432PROBLEM TYPE: Bypass a restriction or similarDESCRIPTION: Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without…

Replaced code signing certificate – Opera Security Advisories

Severity None Description Opera Software recently experienced an attack on the internal infrastructure. Following best practices, Opera Software is replacing signing certificates in Opera with newly issued certificates. Certificates in Opera include the code signing certificate for desktop binaries and the signing certificate for automatic updates to browser.js. Opera’s rootstore was not affected by the…

Cookies can be set for a top-level domain – Opera Security Advisories

Severity Low Description Browsers should only allow cookies to be set for the website that created them. In some specific cases, Opera does not apply this restriction correctly, and allows a website to set a cookie for its entire top-level domain (such as .com or .co.uk). A malicious site could then redirect the user to…

TLS response timings can indicate network contents – Opera Security Advisories

Severity Low Advisory When Opera receives incorrectly encrypted network data, Opera will detect this, and let the sender know that the data was not understood. Such encrypted error responses are marginally faster than regular responses. An attacker with access to the network, can by replacing network data measure Opera’s response speed, and deduce the content.…