Mozilla Foundation Security Advisory 2013-72

Wrong principal used for validating URI for some Javascript components

Announced
August 6, 2013
Reporter
Cody Crews
Impact
High
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 23
  • Firefox ESR 17.0.8
  • SeaMonkey 2.20
  • Thunderbird 17.0.8
  • Thunderbird ESR 17.0.8

Description

Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier (URI) before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-origin policy, allowing for cross-site scripting (XSS) or the installation of malicious add-ons from third-party pages.

In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts.

References