Vivaldi crashes when setting bookmark to be a JS Link

SENitro

I don't know if this is a problem, not a problem, or something else, but if you set the bookmark link to be javascript code, the Vivaldi browser crashes.

In the below example I let the code be :
javascript:(d=>{let e=d.createElement("script");e.src="https://abrudz.github.io/lb/vyxal.js";d.body.appendChild(e)})(document)

This works in edge, but can this be used as an exploit?
Demonstration

bariton

At least this bookmark link does not crash vivaldi:

javascript:window.alert(document.cookie.split(';').join(';\r\n'));

Hadden89

@SENitro Works on Vivaldi 5.3.2679.30 // Chrome/102.0.5005.72 so it could be a recent Chromium/Vivaldi bug.

Pathduck

@SENitro Hi - a bookmark with JS code is what is called a "bookmarklet" and these work fine in Vivaldi. However, your code there gets its source from a separately loaded JS file, and it's not so often bookmarklets do that, usually they're just single lines of JS code.

Also, it should be said that trying to add a bookmarklet as a Speed Dial and then attempting to load its "thumbnail" is kind of an edge case

I can confirm that it does indeed crash if you try to load a thumbnail for a Speed Dial containing this code. I suggest you do not try to do this. Not sure what you mean by "works in Edge" because last I checked, Edge did not use Speed Dials? If you want you could report it I guess.

Please read:

• Help us reproduce your issue
• How to report a bug for Vivaldi
• How to report crashes on Windows, macOS, Linux

carefully and report the bug to Vivaldi bugtracker

Pathduck

The code itself seems to work fine in Vivaldi though - no idea what it's supposed to do - as long as you don't add it to the speed dials and don't try to load a thumbnail from it

Video: https://ttm.sh/wUV.mp4

Hadden89

@Pathduck The code add a sort of virtual keyboard in the body (web) page. This may trip the SD in some way.
On 5.3 I can add the thumb too. But I end with a pointless blank (black) page and the bookmarklet just silently fail.
@SENitro Bookmarlets should be launched from the active page they need them, never from a restricted (internal) SD page

Pathduck

@Hadden89 Sure seems like it, it tries to execute the JS directly in the SD page when trying to actually load a thumbnail from a javascript: URL.

I guess it should be reported as a crash bug. Should be an easy fix - don't execute javascript URLs on the SD.

My advice to the OP is still - don't do this. There are other ways to load a bookmarklet. Usually they belong in the bookmarks bar for quick access, in a bookmark loaded through a keyword, could even be placed in a command chain, but never on the Speed Dial, it just makes no sense to do that.

DoctorG

Some charcters in URL needs to be correctly URL-encoded.

Try this:
javascript:(d=%3E%7Blet%20e=d.createElement(%22script%22);e.src=%22https://abrudz.github.io/lb/vyxal.js%22;d.body.appendChild(e)%7D)(document)

Pathduck

@DoctorG It still crashes.

And I've just figured out that if a user has similar bookmarklet(s) that causes the crash (getting external src= for instance), and then accidentally triggers the "Update Thumbnails" tool in the bookmarks manager, Vivaldi will try to generate thumbnails and crash after a while.

For instance I have some bookmarklets in a folder Bookmarklets, if I trigger "Update Thumbnails" on this folder, it will crash on some of them.

Basically, Vivaldi should never try to create thumbnails for javascript: bookmarks because the outcome is never predictable.

Works (generates thumb without crash):

javascript:location.href='https://web.archive.org/web/*/'+document.location.href;

javascript:if(document.getSelection)%7Bs=document.getSelection();%7Delse%7Bs='';%7D;document.location='https://start.me/add_bookmark?url=%27+encodeURIComponent(location.href)+%27&title=%27+encodeURIComponent(document.title);

javascript:document.location.href%20=%20'mailto:?subject=%27%20+%20encodeURIComponent(document.title)%20+%20%27&body=%27%20+%20encodeURIComponent(document.location);

Crashes when generating thumb:

javascript:(function()%7Burl='//imgops.com/imgops.js';document.body.appendChild(document.createElement('script')).src=url+'?%27+new%20Date().getTime();%7D)();

javascript:q=window.getSelection().toString();if(!q)q=prompt(%22Search%20terms%22);if(q!=null)location=%22http://www.google.com/search?q=%22+q+%22+site:%22+location.hostname;

javascript:(d=%3E%7Blet%20e=d.createElement(%22script%22);e.src=%22https://abrudz.github.io/lb/vyxal.js%22;d.body.appendChild(e)%7D)(document)

Edit - Reported as VB-90446

SENitro

@Pathduck ah thanks, I thought the speed dial represented the favourites tab in edge

SENitro

@bariton nope, crashes vivaldi on v5.3.2679.61

Pathduck

@SENitro No, bookmarks management in Vivaldi is so much more powerful than in Edge
https://help.vivaldi.com/desktop/bookmarks-speed-dial/bookmarks/

The Speed Dials are just the ones that show on the Start Page, you also have bookmarks panel, manager and of course the bookmarks bar.

Like I've said It doesn't really make sense to add a JS bookmarklet to the Speed Dial, as it would need to be available when on a web page. Usually you would use the bar or the panel to execute bookmarklets, or add a keyword and launch it directly.

Another problem with the Speed Dial is of course that thumbnails are automatically generated when adding bookmarks there, so it would crash no matter what.

I have reported this as a crashing bug, since I think the browser should not crash even if the user does "silly" things like this

SENitro

@Pathduck I just downloaded Vivaldi yesterday and wanted to test stuff :P​ - I've removed the bookmarklet now, it wasn't anything important.

Pathduck

@SENitro That's fine, using Vivaldi is always a learning experience, and we learn best by breaking stuff

If you watch the video I posted above, is how I usually run bookmarklets - open the panel and double-click it.

Yes, I've reported it, so hopefully it will be fixed at some point

DoctorG

@Pathduck said in Vivaldi crashes when setting bookmark to be a JS Link:

Reported as VB-90446

I can confirm crashes for my internal Daily 5.4.2727 and updated bug tracker