Mozilla Foundation Security Advisory 2012-78

Reader Mode pages have chrome privileges

Announced
October 9, 2012
Reporter
Warren He
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 16

Description

Security researcher Warren He reported that when a page is transitioned into Reader Mode in Firefox for Android, the resulting page has chrome privileges and its content is not thoroughly sanitized. A successful attack requires user enabling of reader mode for a malicious page, which could then perform an attack similar to cross-site scripting (XSS) to gain the privileges allowed to Firefox on an Android device. This has been fixed by changing the Reader Mode page into an unprivileged page.

This vulnerability only affects Firefox for Android.

References