Mozilla Foundation Security Advisory 2006-43
Privilege escalation using addSelectionListener
- June 1, 2006
- Firefox, SeaMonkey
- Fixed in
- Firefox 184.108.40.206
- SeaMonkey 1.0.2
Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox in MFSA 2006-31 and content-defined DOM setters in MFSA 2006-37 moz_bug_r_a4 figured a way to leverage the fact that the notifications were created in a privileged context into arbitrary code execution.