Mozilla Foundation Security Advisory 2010-69

Cross-site information disclosure via modal calls

Announced

October 19, 2010

Reporter

Eduardo Vela Nava

Impact

High

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.5.14
Firefox 3.6.11
SeaMonkey 2.0.9
Thunderbird 3.0.9
Thunderbird 3.1.5

Description

Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=576616
CVE-2010-3178

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising