Mozilla Foundation Security Advisory 2008-23

Signed JAR tampering

July 1, 2008
Collin Jackson, Adam Barth
Firefox, SeaMonkey
Fixed in
  • Firefox
  • Firefox 3
  • SeaMonkey 1.1.10


Security researchers Collin Jackson and Adam Barth reported a series of vulnerabilities which allow JavaScript to be injected into the context of signed JARs and executed under the context of the JAR's signer. This could allow an attacker to run JavaScript in a victim's browser with the privileges of a different website, provided the attacker possesses a JAR signed by the other website.

One variant allowed JavaScript to be injected into documents inside a signed JAR file. An additional vulnerability exploited signed JAR files which use relative URLs to JavaScript files. An attacker could use this vulnerability to trick the browser into treating an attacker-controlled JavaScript file as the file the signed JAR intended to reference.