You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2008-23

Mozilla Foundation Security Advisory 2008-23

Title: Signed JAR tampering
Impact: High
Announced: July 1, 2008
Reporter: Collin Jackson, Adam Barth
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.0
  SeaMonkey 1.1.10


Security researchers Collin Jackson and Adam Barth reported a series of vulnerabilities which allow JavaScript to be injected into the context of signed JARs and executed under the context of the JAR's signer. This could allow an attacker to run JavaScript in a victim's browser with the privileges of a different website, provided the attacker possesses a JAR signed by the other website.

One variant allowed JavaScript to be injected into documents inside a signed JAR file. An additional vulnerability exploited signed JAR files which use relative URLs to JavaScript files. An attacker could use this vulnerability to trick the browser into treating an attacker-controlled JavaScript file as the file the signed JAR intended to reference.