Mozilla Foundation Security Advisory 2008-61
Title: Information stealing via loadBindingDocument
Announced: December 16, 2008
Reporter: Boris Zbarsky
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 220.127.116.11
Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:
- The target document requires a
<bindings>element in the XBL namespace in order to be read.
- The reader of the data needs to know the
idattribute of the binding being read in advance.
- It is unlikely that web services will expose private data in the manner described above.
Firefox 3 is not affected by this issue.