Mozilla Foundation Security Advisory 2008-65
Cross-domain data theft via script redirect error message
- Announced
- December 16, 2008
- Reporter
- Chris Evans
- Impact
- High
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 2.0.0.19
- Firefox 2.0.0.20
- Firefox 3.0.5
- SeaMonkey 1.1.14
- Thunderbird 2.0.0.19
Description
Google security researcher Chris Evans reported that a
website could access a limited amount of data from a different domain by
loading a same-domain JavaScript URL which redirects to an off-domain
target resource containing data
which is not parsable as JavaScript. Upon attempting to load the data as
JavaScript a syntax error is generated that can reveal some of the file
context via the window.onerror DOM API.
This issue could be used by a malicious website to steal private data from users who are authenticated on the redirected website. How much data could be at risk would depend on the format of the data and how the JavaScript parser attempts to interpret it. For most files the amount of data that can be recovered would be limited to the first word or two. Some data files might allow deeper probing with repeated loads.
Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.
Update December 18, 2008: The Windows version of Firefox 2.0.0.19 was shipped without the fix for this issue (other platforms were correctly patched). Firefox 2.0.0.20 has been released on Windows to correct this oversight.
Workaround
Disable JavaScript until a version containing these fixes can be installed.