Mozilla Foundation Security Advisory 2008-61

Information stealing via loadBindingDocument

December 16, 2008
Boris Zbarsky
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox
  • SeaMonkey 1.1.14
  • Thunderbird


Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:

  1. The target document requires a <bindings> element in the XBL namespace in order to be read.
  2. The reader of the data needs to know the id attribute of the binding being read in advance.
  3. It is unlikely that web services will expose private data in the manner described above.

Firefox 3 is not affected by this issue.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.


Products built from the Mozilla 1.9.0 branch and later, Firefox 3 for example, are not affected by this issue. Upgrading to one of these products is a reliable workaround for this particular issue and it is also Mozilla's recommendation that the most current version of any Mozilla product be used. Alternatively, you can disable JavaScript until a version containing these fixes can be installed.