Mozilla Foundation Security Advisory 2016-76

Scripts on marquee tag can execute in sandboxed iframes

Announced
August 2, 2016
Reporter
Nikita Arykov
Impact
Moderate
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 48
  • Firefox ESR 45.3

Description

Security researcher Nikita Arykov reported that JavaScript event handler attributes on a <marquee> tag will execute inside a sandboxed iframe that does not have the allow-scripts flag set. This could result in a cross-site scripting (XSS) vulnerability in a site that depends on the iframe sandbox for sanitization and does no other content filtering.

References