Mozilla

Mozilla

Mozilla Foundation Security Advisory 2005-49

Script injection from Firefox sidebar panel using data:

Announced
July 12, 2005
Reporter
Kohei Yoshino
Impact
High
Products
Firefox
Fixed in
  • Firefox 1.0.5

Description

Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data.

Workaround

References