Mozilla Foundation Security Advisory 2009-46

Chrome privilege escalation due to incorrectly cached wrapper

Announced
August 3, 2009
Reporter
Wladimir Palant, moz_bug_r_a4
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 3.5.2

Description

Mozilla add-on developer and community member Wladimir Palant reported broken functionality on pages that had a Link: HTTP header when an add-on was installed which implemented a Content Policy in JavaScript, such as AdBlock Plus or NoScript. Mozilla security researcher moz_bug_r_a4 demonstrated that the broken functionality was due to the window's global object receiving an incorrect security wrapper and that this issue could be used to execute arbitrary JavaScript with chrome privileges.

This vulnerability does not affect Firefox prior to version 3.5

References