You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0) > MFSA 2005-01

Mozilla Foundation Security Advisory 2005-01

Title: Link opened in new tab can load a local file
Severity: Low
Reporter: Jesse Ruderman
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0
  Mozilla Suite 1.7.5


Links with a custom getter and toString method can bypass checks intended to prevent web content from linking to local files and "chrome" URIs if the user can be convinced to middle-click (or control-click) to open it in a new tab. The browser's "same-origin" policy prevents the attacker's content from taking advantage of this flaw to read the local file or manipulate privileged chrome.


Turn off javascript or upgrade to fixed version