Mozilla Foundation Security Advisory 2011-56
Announced: December 20, 2011
Reporter: Mario Heiderich
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 9.0
Security researcher Mario Heiderich reported it was
possible to use SVG animation
accessKey events to detect
detect key events through script and most users have scripting enabled this
does not present a risk for most users. In contexts where the user knows
scripting is disabled (reading mail, for example, or NoScript users) this
could allow a malicious web page to fool a user into interacting with
a prompt thinking it came from the browser or mail program.
Accessing remote content is disabled by default When reading mail in Thunderbird and SeaMonkey. Successfully capturing keystrokes remotely would require some social engineering to convince the user to turn it on.
SVG animation is not supported in Thunderbird 3.1 or Firefox 3.6.