Mozilla Foundation Security Advisory 2012-72

Web console eval capable of executing chrome-privileged code

Announced

August 28, 2012

Reporter

Colby Russell

Impact

High

Products

Firefox, Firefox ESR, Thunderbird, Thunderbird ESR

Fixed in

Firefox 15
Firefox ESR 10.0.7
Thunderbird 15
Thunderbird ESR 10.0.7

Description

Security researcher Colby Russell discovered that eval in the web console can execute injected code with chrome privileges, leading to the running of malicious code in a privileged context. This allows for arbitrary code execution through a malicious web page if the web console is invoked by the user.

References

Console eval results capable of executing chrome-privileged code
CVE-2012-3980

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Privacy Promise

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Product Promise

Firefox Relay

MDN Plus

Mozilla Manifesto

Mozilla Foundation

Get involved

Leadership

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Common Voice

Mozilla Innovation Projects

Mozilla Foundation Security Advisory 2012-72

Web console eval capable of executing chrome-privileged code

Description

References