You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-100

Mozilla Foundation Security Advisory 2012-100

Title: Improper security filtering for cross-origin wrappers
Impact: High
Announced: November 20, 2012
Reporter: Bobby Holley
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 17.0
  Firefox ESR 10.0.11
  Thunderbird 17.0
  Thunderbird ESR 10.0.11
  SeaMonkey 2.14

Description

Mozilla developer Bobby Holley reported that security wrappers filter at the time of property access, but once a function is returned, the caller can use this function without further security checks. This affects cross-origin wrappers, allowing for write actions on objects when only read actions should be properly allowed. This can lead to cross-site scripting (XSS) attacks.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.

References