Mozilla Foundation Security Advisory 2012-13

XSS with Drag and Drop and Javascript: URL

Announced
March 13, 2012
Reporter
Soroush Dalili
Impact
Moderate
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 11
  • Firefox 3.6.28
  • Firefox ESR 10.0.3
  • SeaMonkey 2.8
  • Thunderbird 11
  • Thunderbird 3.1.20
  • Thunderbird ESR 10.0.3

Description

Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection.

References