Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2005-55

XHTML node spoofing

Announced
July 12, 2005
Reporter
moz_bug_r_a4
Impact
High
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1.0.5
  • Mozilla Suite 1.7.10

Description

Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fake <IMG> elements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements.

The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine.

Workaround

References