You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-13

Mozilla Foundation Security Advisory 2012-13

Title: XSS with Drag and Drop and Javascript: URL
Impact: Moderate
Announced: March 13, 2012
Reporter: Soroush Dalili
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 11.0
  Firefox ESR 10.0.3
  Firefox 3.6.28
  Thunderbird 11.0
  Thunderbird ESR 10.0.3
  Thunderbird 3.1.20
  SeaMonkey 2.8


Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection.