Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2011-43

loadSubScript unwraps XPCNativeWrapper scope parameter

Announced
September 27, 2011
Reporter
David Rees
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 7
  • SeaMonkey 2.4

Description

David Rees reported that the JSSubScriptLoader (a feature used by some add-ons) was "unwrapping" XPCNativeWrappers when they were used as the scope parameter to loadSubScript(). Without the protection of the wrappers the add-on could be vulnerable to privilege escalation attacks from malicious web content. Whether any given add-on were vulnerable would depend on how the add-on used the feature and whether it interacted directly with web content, but we did find at least one vulnerable add-on and presume there are more.

The unwrapping behavior was a change introduced during Firefox 4 development. Firefox 3.6 and earlier versions are not affected.

References