You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2006-43

Mozilla Foundation Security Advisory 2006-43

Title: Privilege escalation using addSelectionListener
Impact: Critical
Date: June 1, 2006
Reporter: moz_bug_r_a4
Products: Firefox, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.0.2


Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox in MFSA 2006-31 and content-defined DOM setters in MFSA 2006-37 moz_bug_r_a4 figured a way to leverage the fact that the notifications were created in a privileged context into arbitrary code execution.


Disable JavaScript until you've upgraded to a fixed version.