You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-77

Mozilla Foundation Security Advisory 2013-77

Title: Improper state in HTML5 Tree Builder with templates
Impact: Moderate
Announced: September 17, 2013
Reporter: Atte Kettunen
Products: Firefox, Seamonkey

Fixed in: Firefox 24.0
  Thunderbird 24.0
  Seamonkey 2.21


Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found that the HTML5 Tree Builder does not properly store state when interacting with template elements. Because some stack information is incorrectly stored, the template insertion mode stack can be used when it is empty. This could possibly lead to code execution in some circumstances.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.