You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-72

Mozilla Foundation Security Advisory 2012-72

Title: Web console eval capable of executing chrome-privileged code
Impact: High
Announced: August 28, 2012
Reporter: Colby Russell
Products: Firefox, Thunderbird

Fixed in: Firefox 15
  Firefox ESR 10.0.7
  Thunderbird 15
  Thunderbird ESR 10.0.7


Security researcher Colby Russell discovered that eval in the web console can execute injected code with chrome privileges, leading to the running of malicious code in a privileged context. This allows for arbitrary code execution through a malicious web page if the web console is invoked by the user.