• Security Center
  • Security Advisories
  • Known Vulnerabilities
  • Bug Bounty
  • Security Blog

You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-75

Mozilla Foundation Security Advisory 2012-75

Title: select element persistance allows for attacks
Impact: Critical
Announced: October 9, 2012
Reporter: David Bloom
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Thunderbird 16
  SeaMonkey 2.13

Description

Security researcher David Bloom of Cue discovered that <select> elements are always-on-top chromeless windows and that navigation away from a page with an active <select> menu does not remove this window.When another menu is opened programmatically on a new page, the original <select> menu can be retained and arbitrary HTML content within it rendered, allowing an attacker to cover arbitrary portions of the new page through absolute positioning/scrolling, leading to spoofing attacks. Security researcher Jordi Chancel found a variation that would allow for click-jacking attacks was well.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.

References

• Navigation away from a page with an active <select> dropdown menu can be used for URL spoofing, other evil
• CVE-2012-3984

• Firefox 10.0.1 : Navigation away from a page with multiple active <select> dropdown menu can be used for Spoofing And ClickJacking with XPI using window.open and geolocalisation