Mozilla Foundation Security Advisory 2015-09

XrayWrapper bypass through DOM objects

Announced
January 13, 2015
Reporter
Bobby Holley, Joe Vennix
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 35
  • SeaMonkey 2.32

Description

Mozilla developer Bobby Holley reported that Document Object Model (DOM) objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation.

Update for February 12, 2015: Security researcher Joe Vennix of Rapid7 also reported another issue caused by this same problem. He discovered that setting a prototype to a proxy object could allow web content to open privileged window with the chrome property, allowing for escalation of privilege.

References