Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2016-76

Scripts on marquee tag can execute in sandboxed iframes

Announced
August 2, 2016
Reporter
Nikita Arykov
Impact
Moderate
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 48
  • Firefox ESR 45.3

Description

Security researcher Nikita Arykov reported that JavaScript event handler attributes on a <marquee> tag will execute inside a sandboxed iframe that does not have the allow-scripts flag set. This could result in a cross-site scripting (XSS) vulnerability in a site that depends on the iframe sandbox for sanitization and does no other content filtering.

References