Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2009-40

Multiple cross origin wrapper bypasses

Announced
July 21, 2009
Reporter
moz_bug_r_a4
Impact
High
Products
Firefox
Fixed in
  • Firefox 3.0.12
  • Firefox 3.5

Description

Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been set by a different website. A malicious website could use this vulnerability to launch a XSS attack and run arbitrary JavaScript within the context of another site.

Workaround

Disable JavaScript until a version containing this fix can be installed.

References