You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-73

Mozilla Foundation Security Advisory 2013-73

Title: Same-origin bypass with web workers and XMLHttpRequest
Impact: High
Announced: August 6, 2013
Reporter: Federico Lanusse
Products: Firefox, Thunderbird, Seamonkey

Fixed in: Firefox 23.0
  Firefox ESR 17.0.8
  Thunderbird 17.0.8
  Thunderbird ESR 17.0.8
  Seamonkey 2.20

Description

Mozilla community member Federico Lanusse reported a mechanism where a web worker can violate same-origin policy and bypass cross-origin checks through XMLHttpRequest. This could allow for cross-site scripting (XSS) attacks by web workers.

In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts.

References