Mozilla Foundation Security Advisory 2013-112

Linux clipboard information disclosure though selection paste

Announced
December 10, 2013
Reporter
Vincent Lefevre
Impact
Low
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 26
  • SeaMonkey 2.23

Description

Mozilla community member Vincent Lefevre reported that on Linux systems, web content can access data saved to the clipboard when a user attempts to paste a selection with a middle-click instead of pasting the selection content. This allows for possibly private data in the clipboard to be inadvertently disclosed to web content. Windows and OS X systems are not affected by this issue.

In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts.

References