Mozilla Foundation Security Advisory 2014-47
- April 29, 2014
- Boris Zbarsky
- Firefox, SeaMonkey
- Fixed in
- Firefox 29
- SeaMonkey 2.26
Mozilla developer Boris Zbarsky discovered that the debugger will work with some objects while bypassing XrayWrappers. This could lead to privilege escalation if the victim used the debugger to interact with a malicious page.
In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts.