Mozilla Foundation Security Advisory 2009-70

Privilege escalation via chrome window.opener

December 15, 2009
David James
Firefox, SeaMonkey
Fixed in
  • Firefox 3.0.16
  • Firefox 3.5.6
  • SeaMonkey 2.0.1


Security researcher David James reported that a content window which is opened by a chrome window retains a reference to the chrome window via the window.opener property. Using this reference, content in the new window can access functions inside the chrome window, such as eval, and use these functions to run arbitrary JavaScript code with chrome privileges. In a stock Mozilla browser a remote attacker can not cause these application dialogs to appear nor to automatically load the attack code that takes advantage of this flaw in window.opener. There may be add-ons which open potentially hostile web-content in this way, and combined with such an add-on the severity of this flaw could be upgraded to Critical.