You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-72

Mozilla Foundation Security Advisory 2013-72

Title: Wrong principal used for validating URI for some Javascript components
Impact: High
Announced: August 6, 2013
Reporter: Cody Crews
Products: Firefox, Thunderbird, Seamonkey

Fixed in: Firefox 23.0
  Firefox ESR 17.0.8
  Thunderbird 17.0.8
  Thunderbird ESR 17.0.8
  Seamonkey 2.20


Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier (URI) before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-origin policy, allowing for cross-site scripting (XSS) or the installation of malicious add-ons from third-party pages.

In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts.