You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-46

Mozilla Foundation Security Advisory 2010-46

Title: Cross-domain data theft using CSS
Impact: Moderate
Announced: July 20, 2010
Reporter: Chris Evans
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.7
  Firefox 3.5.11
  Thunderbird 3.1.1
  Thunderbird 3.0.6
  SeaMonkey 2.0.6


Google security researcher Chris Evans reported that data can be read across domains by injecting bogus CSS selectors into a target site and then retrieving the data using JavaScript APIs. If an attacker can inject opening and closing portions of a CSS selector into points A and B of a target page, then the region between the two injection points becomes readable to JavaScript through, for example, the getComputedStyle() API.