Mozilla Foundation Security Advisory 2009-02

XSS using a chrome XBL method and window.eval

Announced
February 3, 2009
Reporter
moz_bug_r_a4
Impact
High
Products
Firefox
Fixed in
  • Firefox 3.0.6

Description

Mozilla security researcher moz_bug_r_a4 reported that a chrome XBL method can be used in conjuction with window.eval to execute arbitrary JavaScript within the context of another website, violating the same origin policy.

Firefox 2 releases are not affected.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References