Mozilla Foundation Security Advisory 2008-62

Additional XSS attack vectors in feed preview

Announced

December 16, 2008

Reporter

moz_bug_r_a4

Impact

Critical

Products

Firefox

Fixed in

Firefox 2.0.0.19

Description

Mozilla security researcher moz_bug_r_a4 reported an additional variation on the feed preview vulnerabilities fixed in Firefox 2.0.0.17. moz_bug_r_a4 demonstrated that it was still possible to use the feed preview as a vector for JavaScript privilege escalation. An attacker could use this issue to run arbitrary JavaScript with chrome privileges.

Firefox 3 is not affected by this issue.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=453526
CVE-2008-5504

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog