In Adblock Plus ad blocker
Authors of lists with filter sets can organize the execution of their code in the context of the sites opened by the user by adding rules with the operator "
However, code execution can be achieved by a workaround.
Some sites, including Google Maps, Gmail, and Google Images, use the technique of dynamically loading JavaScript executables passed in the form of bare text. If the server allows redirection of requests, then forwarding to another host can be achieved by changing the URL parameters (for example, in the context of Google, a redirect can be made through the API "
The proposed attack method only affects pages that dynamically load strings with JavaScript code (for example, via XMLHttpRequest or Fetch) and then execute them. Another important limitation is the need to use a redirect or place arbitrary data on the side of the source server that gives the resource. However, as a demonstration of the relevance of the attack, it is shown how to organize the execution of your code when opening maps.google.com, using a redirect through "google.com/search".
The fix is ββstill in preparation. The problem also affects blockers
Adblock Plus developers consider real attacks to be unlikely, since all changes in the regular lists of rules are reviewed, and connecting third-party lists is rarely practiced by users. Rule spoofing via MITM is prevented from using HTTPS by default for downloading regular block lists (the rest of the lists are planned to be disabled from downloading via HTTP in a future release). Directives can be used to block attacks on the side of sites
Source: opennet.ru