statusfailed
9 hours ago
Seems bad. "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."
See:
- NVD page for CVE-2024-9680: https://nvd.nist.gov/vuln/detail/CVE-2024-9680
- Mozilla security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-5...
btdmaster
7 hours ago
Ticket in Tor Browser: https://gitlab.torproject.org/tpo/applications/tor-browser/-...
It seems to be JavaScript-free from the description, which makes it even scarier. Imagine the libwebp decoder bug except embedded media blocking doesn't really work (who blocks CSS?).
mrob
7 hours ago
I block CSS animations:
https://news.ycombinator.com/item?id=33223080
I'd be interested to know if it's sufficient to avoid this recent vulnerability. Either way, it confirms my opinion that UI animations are an anti-feature.
schiffern
5 hours ago
As a uBlock Origin filter (paste in Settings > My Filters):
! No CSS animations
##*,::before,::after:style(transition:none !important;animation-delay:0ms !important;animation-duration:0ms !important)
! No CSS animations (different method)
##*,::before,::after:style(animation-timing-function:step-start !important;transition-timing-function:step-start !important)
There's other (often perf heavy) CSS clutter that's nice to get rid of: ! No image filters
##*,::before,::after:style(filter:none !important)
! No text-shadow
##*,::before,::after:style(text-shadow:none !important)
! No box-shadow
##*,::before,::after:style(box-shadow:none !important)
! No rounded corners
##*,::before,::after:style(border-radius:0px !important)
No rounded corners is fun. You realize many loading spinners are actually CSS rounded corners! Youtube becomes almost unrecognizable — mercifully — especially if you also revert the new TikTok-inspired font: ! Un-bold Youtube
youtube.com##*:style(font-weight:400 !important)
user
6 hours ago
user
8 hours ago
tempaccount420
3 hours ago
Is this karma for dropping Rust? (please don't explain how Rust actually wouldn't fix this)