You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-18

Mozilla Foundation Security Advisory 2009-18

Title: XSS hazard using third-party stylesheets and XBL bindings
Impact: Low
Announced: April 21, 2009
Reporter: Cefn Hoile
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.9


Web developer Cefn Hoile reported that sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To mitigate this risk Mozilla added a restriction that requires XBL bindings to come from the same origin as the bound document.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.