Script injection from Firefox sidebar panel using data:
- July 12, 2005
- Kohei Yoshino
- Fixed in
- Firefox 1.0.5
Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data.