prompt(‘XSS by Osanda Malith’);
Once you open the attachment the code gets interpreted.
However due to the same origin policy this bug can’t do much damage. If you do a
alert(window.sessionStorage.protonmail_pw) it would result “undefined”.
2 thoughts on “Protonmail Stored XSS”
email attachment with malicious js !!! is it fixed now ? 😉
They won’t fix it I guess 🙂