Mozilla Foundation Security Advisory 2014-47

Debugger can bypass XrayWrappers with JavaScript

Announced
April 29, 2014
Reporter
Boris Zbarsky
Impact
High
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 29
  • SeaMonkey 2.26

Description

Mozilla developer Boris Zbarsky discovered that the debugger will work with some objects while bypassing XrayWrappers. This could lead to privilege escalation if the victim used the debugger to interact with a malicious page.

In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References