You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-107

Mozilla Foundation Security Advisory 2013-107

Title: Sandbox restrictions not applied to nested object elements
Impact: Low
Announced: December 10, 2013
Reporter: Daniel Veditz
Products: Firefox, Seamonkey

Fixed in: Firefox 26
  Seamonkey 2.23


Mozilla security developer Daniel Veditz discovered that <iframe sandbox> restrictions are not applied to an <object> element contained within a sandboxed iframe. This could allow content hosted within a sandboxed iframe to use <object> element to bypass the sandbox restrictions that should be applied.