Mozilla Foundation Security Advisory 2006-63

JavaScript execution in mail via XBL

September 14, 2006
Georgi Guninski
SeaMonkey, Thunderbird
Fixed in
  • SeaMonkey 1.0.5
  • Thunderbird


Georgi Guninski demonstrated that even with JavaScript disabled in mail (the default) an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. The executed script could be used to alter or change the appearance of the message, and can act as a "mail-tap" to spy on the contents added to a reply or forward. For example, the attacker could make a provocative offer to a rival business and then watch the internal debate as it was forwarded and replied to.

The victim would have to have chosen to "Load Images"--either for the individual message or as the default setting -- in order for the XBL file to be loaded and the JavaScript executed.


The problem can be avoided in the message window by not viewing the original HTML of mail messages. Use the "Simple HTML" or plain text options on the "Message Body As" View menu item instead.

Similarly, avoid the problem when composing a reply or forward by unchecking the "Compose messages in HTML format" option in Account Settings to use the plain text editor.