Privilege escalation using named-functions and redefined "new Object()"
- July 25, 2006
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 184.108.40.206
- SeaMonkey 1.0.3
- Thunderbird 220.127.116.11
Our fix involves calling the internal Object constructor which appears to be what other ECMA-compatible interpreters do.