Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2008-65

Cross-domain data theft via script redirect error message

December 16, 2008
Chris Evans
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox
  • Firefox
  • Firefox 3.0.5
  • SeaMonkey 1.1.14
  • Thunderbird


Google security researcher Chris Evans reported that a website could access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript. Upon attempting to load the data as JavaScript a syntax error is generated that can reveal some of the file context via the window.onerror DOM API.

This issue could be used by a malicious website to steal private data from users who are authenticated on the redirected website. How much data could be at risk would depend on the format of the data and how the JavaScript parser attempts to interpret it. For most files the amount of data that can be recovered would be limited to the first word or two. Some data files might allow deeper probing with repeated loads.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.

Update December 18, 2008: The Windows version of Firefox was shipped without the fix for this issue (other platforms were correctly patched). Firefox has been released on Windows to correct this oversight.


Disable JavaScript until a version containing these fixes can be installed.