Mozilla Foundation Security Advisory 2010-12
Title: XSS using addEventListener and setTimeout on a wrapped object
Announced: March 23, 2010
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.2
Mozilla security researcher moz_bug_r_a4 reports that by using an appropriately wrapped object it was possible to bypass the fix for MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform cross-site scripting attacks against arbitrary sites as in the original MFSA 2007-19 attack. Due to unrelated changes in the browser engine used by Firefox 3.6, attacks in that version are limited to capturing keystroke events from a cross-origin frame or window rather than full DOM access. Those events might be sufficient to illicitly obtain passwords or other sensitive information entered into web forms.