You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-78

Mozilla Foundation Security Advisory 2012-78

Title: Reader Mode pages have chrome privileges
Impact: Critical
Announced: October 9, 2012
Reporter: Warren He
Products: Firefox

Fixed in: Firefox 16

Description

Security researcher Warren He reported that when a page is transitioned into Reader Mode in Firefox for Android, the resulting page has chrome privileges and its content is not thoroughly sanitized. A successful attack requires user enabling of reader mode for a malicious page, which could then perform an attack similar to cross-site scripting (XSS) to gain the privileges allowed to Firefox on an Android device. This has been fixed by changing the Reader Mode page into an unprivileged page.

This vulnerability only affects Firefox for Android.

References