You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-39

Mozilla Foundation Security Advisory 2009-39

Title: setTimeout loses XPCNativeWrappers
Impact: Critical
Announced: July 21, 2009
Reporter: Blake Kaplan
Products: Firefox

Fixed in: Firefox 3.5
  Firefox 3.0.12

Description

Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges.

Workaround

Disable JavaScript until a version containing this fix can be installed.

References