Mozilla Foundation Security Advisory 2010-12

XSS using addEventListener and setTimeout on a wrapped object

March 23, 2010
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.0.18
  • Firefox 3.5.8
  • Firefox 3.6.2
  • SeaMonkey 2.0.3
  • Thunderbird 3.0.2


Mozilla security researcher moz_bug_r_a4 reports that by using an appropriately wrapped object it was possible to bypass the fix for MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform cross-site scripting attacks against arbitrary sites as in the original MFSA 2007-19 attack. Due to unrelated changes in the browser engine used by Firefox 3.6, attacks in that version are limited to capturing keystroke events from a cross-origin frame or window rather than full DOM access. Those events might be sufficient to illicitly obtain passwords or other sensitive information entered into web forms.

Thunderbird does not allow JavaScript to run in mail messages, but users who open web content (such as RSS feeds, or other content through add-ons) could be at risk.