Mozilla Foundation Security Advisory 2005-39

Arbitrary code execution from Firefox sidebar panel II

Announced

April 15, 2005

Reporter

Kohei Yoshino

Impact

Critical

Products

Firefox

Fixed in

Firefox 1.0.3

Description

Sites can use the _search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page (such as about:config) and then inject script using a javascript: url. This could be used to install malicious code or steal data without user interaction.

Workaround

Disable Javascript

References

https://bugzilla.mozilla.org/show_bug.cgi?id=290079

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising