Mozilla Foundation Security Advisory 2009-61

Cross-origin data theft through document.getSelection()

Announced
October 27, 2009
Reporter
Gregory Fleischer
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 3.0.15
  • Firefox 3.5.4

This vulnerability does not affect products based on the older Gecko 1.8 engine such as Firefox 2 or SeaMonkey 1.1

Description

Security researcher Gregory Fleischer reported that text within a selection on a web page can be read by JavaScript in a different domain using the document.getSelection function, violating the same-origin policy. Since this vulnerability requires user interaction to exploit, its severity was determined to be moderate.

References