You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2014-13

Mozilla Foundation Security Advisory 2014-13

Title: Inconsistent JavaScript handling of access to Window objects
Impact: High
Announced: February 4, 2014
Reporter: Boris Zbarsky
Products: Firefox, Thunderbird, Seamonkey

Fixed in: Firefox 27
  Firefox ESR 24.3
  Thunderbird 24.3
  Seamonkey 2.24

Description

Mozilla developer Boris Zbarsky reported an inconsistency with the different JavaScript engines in how JavaScript native getters on window objects are handled by these engines. This inconsistency can lead to different behaviors in JavaScript code, allowing for a potential security issue with window handling by bypassing of some security checks.

In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled in mail, but is potentially a risk in browser or browser-like contexts.

References