You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.3) > MFSA 2005-37

Mozilla Foundation Security Advisory 2005-37

Title: Code execution through javascript: favicons
Severity: Critical
Reporter: Michael Krax
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.3
  Mozilla Suite 1.7.7

Description

Firefox and the Mozilla Suite support custom "favicons" through the <LINK rel="icon"> tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.

Workaround

Disable javascript.

References