Mozilla Foundation Security Advisory 2007-05
XSS and local file access by opening blocked popupsand local file access by opening blocked popups
- February 23, 2007
- shutdown, Michal Zalewski
- Firefox, SeaMonkey
- Fixed in
- Firefox 184.108.40.206
- Firefox 220.127.116.11
- SeaMonkey 1.0.8
Similarly, Michal Zalewski reported that although pages loaded from the web normally cannot open windows containing local files, if you could convince a user to open a blocked popup then this restriction could be bypassed. In order to take advantage of this flaw the attacker would have to know the full path to a locally-saved file containing malicious script. He also reported that a flaw in the seeding of the pseudo-random number generator resulted in downloaded files being saved to temporary files with a reasonably predictable name. The two combined could be used to steal information saved on the local disk.
Do not open blocked popups individually, instead either ignore them or decide to enable popups on a per-site basis.