Mozilla Foundation Security Advisory 2011-02

Recursive eval call causes confirm dialogs to evaluate to true

Announced
March 1, 2011
Reporter
Zach Hoffman
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.17
  • Firefox 3.6.14
  • SeaMonkey 2.0.12

Description

Security researcher Zach Hoffman reported that a recursive call to eval() wrapped in a try/catch statement places the browser into a inconsistent state. Any dialog box opened in this state is displayed without text and with non-functioning buttons. Closing the window causes the dialog to evaluate to true. An attacker could use this issue to force a user into accepting any dialog, such as one granting elevated privileges to the page presenting the dialog.

References