Mozilla Foundation Security Advisory 2012-72

Web console eval capable of executing chrome-privileged code

Announced
August 28, 2012
Reporter
Colby Russell
Impact
High
Products
Firefox, Firefox ESR, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 15
  • Firefox ESR 10.0.7
  • Thunderbird 15
  • Thunderbird ESR 10.0.7

Description

Security researcher Colby Russell discovered that eval in the web console can execute injected code with chrome privileges, leading to the running of malicious code in a privileged context. This allows for arbitrary code execution through a malicious web page if the web console is invoked by the user.

References