Mozilla

Mozilla Foundation Security Advisory 2005-37

Code execution through javascript: favicons

Announced
April 15, 2005
Reporter
Michael Krax
Impact
Critical
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1.0.3
  • Mozilla Suite 1.7.7

Description

Firefox and the Mozilla Suite support custom "favicons" through the <LINK rel="icon"> tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.

Workaround

Disable javascript.

References