You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-68

Mozilla Foundation Security Advisory 2013-68

Title: Document URI misrepresentation and masquerading
Impact: High
Announced: August 6, 2013
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, Seamonkey

Fixed in: Firefox 23.0
  Firefox ESR 17.0.8
  Thunderbird 17.0.8
  Thunderbird ESR 17.0.8
  Seamonkey 2.20

Description

Mozilla security researcher moz_bug_r_a4 reported that through an interaction of frames and browser history it was possible to make the browser believe attacker-supplied content came from the location of a previous page in browser history. This allows for cross-site scripting (XSS) attacks by loading scripts from a misrepresented malicious site through relative locations and the potential access of stored credentials of a spoofed site.

In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.

References