Mozilla Foundation Security Advisory 2008-25

Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()

July 1, 2008
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox
  • Firefox 3
  • SeaMonkey 1.1.10
  • Thunderbird


Mozilla security researcher moz_bug_r_a4 reported that mozIJSSubScriptLoader.LoadScript() only applied XPCNativeWrappers to scripts loaded from standard chrome: URIs. Add-ons using this feature to load scripts from other schemes such as file: or data: (typically dynamically generated scripts) and chrome: URIs using non-canonical package names (e.g. uppercase) did not have the protective wrappers applied. If the scripts interact with web content in any way that content could exploit the unwrapped scripts to run arbitrary code.

Firefox itself does not use this feature in a vulnerable way and users who have not installed any Add-ons are not at risk. We have, however, identified popular Add-ons using this feature whose users are at risk and there are no doubt others.

Thunderbird users are not at risk when JavaScript is disabled in mail. This is the default setting and we strongly discourage users from enabling JavaScript in mail.


Disable JavaScript until a version containing these fixes can be installed.