You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0) > MFSA 2005-01
Mozilla Foundation Security Advisory 2005-01
Title: Link opened in new tab can load a local file
Reporter: Jesse Ruderman
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0
Mozilla Suite 1.7.5
Links with a custom getter and toString method can bypass checks intended to prevent web content from linking to local files and "chrome" URIs if the user can be convinced to middle-click (or control-click) to open it in a new tab. The browser's "same-origin" policy prevents the attacker's content from taking advantage of this flaw to read the local file or manipulate privileged chrome.