SpookJS Attack Bypass process


We just came to know about the SpookJS Attack Bypass process, please someone suggest if our passbolt extension is secure from it and what steps should be taken to protect our vault


We consider these type of attack outside of the remit of the passbolt application, as it is an issue that only the Browser editor and/or Processor constructor can (and fortunately try) to fix.

At the application level we take all the possible steps to isolate the sensitive code (e.g the critical code runs in the context of the web extension, any code executed on a page from passbolt is run in an iframe sandbox).

You can find the details in the response of Chrome security team here: Google Online Security Blog: Protecting more with Site Isolation, Strict Extension Isolation is enabled as of Chrome versions 92 and up.