Mozilla Foundation Security Advisory 2009-40

Multiple cross origin wrapper bypasses

Announced
July 21, 2009
Reporter
moz_bug_r_a4
Impact
High
Products
Firefox
Fixed in
  • Firefox 3.0.12
  • Firefox 3.5

Description

Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been set by a different website. A malicious website could use this vulnerability to launch a XSS attack and run arbitrary JavaScript within the context of another site.

Workaround

Disable JavaScript until a version containing this fix can be installed.

References