Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2005-53

Standalone applications can run arbitrary code through the browser

July 12, 2005
Michael Krax
Fixed in
  • Firefox 1.0.5


Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a javascript: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent javascript: url could execute arbitrary code.

External javascript: urls will now run in a blank context regardless of what content it's replacing, and external apps will no longer be able to load privileged chrome: urls in a browser window. The -chrome command line option to load chrome applications is still supported.


Set the browser to open external links in a new tab or new window.

  1. Open the Options dialog from the Tools menu
  2. Select the Advanced icon in the left panel
  3. Open the "Tabbed Browsing" group
  4. Set "Open links from other applications in:" to either new tab or new window


Bug details embargoed until August 1, 2005