U-XSS in OperaMini for iOS Browser (0-Day) [CVE-2019-13607]
Update [15 July 2019] : CVE-2019-13607 is assigned to this vulnerability.
I have setup a demo page here : http://rakeshmane.com/secret.html
VIDEO POC :
1. Demonstrating U-XSS by executing "document.domain" in Google.
2. Demonstrating U-XSS by fetching Google homepage.
Irresponsible Disclosure: I have reported this vulnerability to Opera at "https://security.opera.com/report-security-issue/" on 12th June, however apart from acknowledgement email I did not get any other information from them. "Our team is reviewing the report" is the only update I got so far from them so probably they are not interested in fixing this vulnerability anytime soon. Opera team is very slow and does not maintain any transparency and not really serious about the security of their mobile browsers. So I would totally recommend to move to other secure browsers if you are using Operamini.
[Disclaimer : This post is only for educational purpose and I do not encourage anyone to misuse the information given in this post]