Mozilla Foundation Security Advisory 2012-56

Code execution through javascript: URLs

Announced
July 17, 2012
Reporter
moz_bug_r_a4
Impact
Critical
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 14
  • Firefox ESR 10.0.6
  • SeaMonkey 2.11
  • Thunderbird 14
  • Thunderbird ESR 10.0.6

Description

Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution.

References