The “about” pages in Firefox allow users to view networking information, display browser configurations, and access installed plugins. Through research and observation, the team at Mozilla found that there is a chance for the “about config” page can be abused to launch code injection attacks. Mozilla developers fixed this vulnerability by re-writing inline event handlers and inline JavaScript code for all 45 “about” pages. Mozilla also moved the code to package files. “This allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute. Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla researchers stated. An additional hardening process was implemented by rewriting the use of eval()-like functions in system privileged contexts and the parent process within Firefox’s codebase.