You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-46

Mozilla Foundation Security Advisory 2012-46

Title: XSS through data: URLs
Impact: High
Announced: July 17, 2012
Reporter: moz_bug_r_a4
Products: Firefox

Fixed in: Firefox 14
  Firefox ESR 10.0.6


Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution.