Your system may not meet the requirements for Firefox, but you can try one of these versions:

Your system doesn't meet the requirements to run Firefox.

Your system doesn't meet the requirements to run Firefox.

Please follow these instructions to install Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2007-09

Privilege escalation by setting img.src to javascript: URI

March 5, 2007
Firefox, SeaMonkey
Fixed in
  • Firefox
  • Firefox
  • SeaMonkey 1.0.8
  • SeaMonkey 1.1.1


moz_bug_r_a4 reports that the fix for MFSA 2006-72 in Firefox and Firefox introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI.

The same regression also caused javascript: URIs in IMG tags to be executed even if JavaScript execution was disabled in the global preferences. This facet was noted by moz_bug_r_a4 and reported independently by Anbo Motohiko.

Thunderbird is not affected by this flaw as it will not execute javascript: URIs in IMG tags.


Upgrade to a version containing the fix. Disabling JavaScript does not protect against this flaw.