Your system may not meet the requirements for Firefox, but you can try one of these versions:

Your system doesn't meet the requirements to run Firefox.

Your system doesn't meet the requirements to run Firefox.

Please follow these instructions to install Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2010-05

XSS hazard using SVG document and binary Content-Type

Announced
February 17, 2010
Reporter
Georgi Guninski
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.0.18
  • Firefox 3.5.8
  • Firefox 3.6
  • SeaMonkey 2.0.3

Description

Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an <embed> tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. A website which allows arbitrary binary data to be uploaded but which relies on Content-Type: application/octet-stream to prevent script execution could have such protection bypassed. An attacker could upload a SVG document containing JavaScript as a binary file to a website, embed the SVG document into a malicous page on another site, and gain access to the script environment from the SVG-serving site, bypassing the same-origin policy.

References