You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.5.0.1) > MFSA 2006-08

Mozilla Foundation Security Advisory 2006-08

Title: "AnyName" entrainment and access control hazard
Severity: Low
Date: February 1, 2006
Reporter: Brendan Eich
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.1
  SeaMonkey 1.0
  Thunderbird 1.5.0.2

Description

The implementation of E4X introduced an internal "AnyName" object which was unintentionally exposed to web content. This singleton object could be used by two cooperating domains as a communication channel to get around same-origin restrictions that prevent direct access from one window or frame to another. This could not be used to violate same-origin protection of another window's content, it was simply a mutually accessible storage spot. E4X was not supported in Firefox 1.0 or Mozilla 1.7

Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail. This is not the default setting and we strongly discourage users from turning on JavaScript in mail. Thunderbird is not vulnerable in its default configuration.

Update (13 April 2006)
This flaw has been fixed in Thunderbird 1.5.0.2

Workaround

Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or SeaMonkey mail.

References