Mozilla

Mozilla Foundation Security Advisory 2012-46

XSS through data: URLs

Announced
July 17, 2012
Reporter
moz_bug_r_a4
Impact
High
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 14
  • Firefox ESR 10.0.6

Description

Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution.

References