You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-61

Mozilla Foundation Security Advisory 2009-61

Title: Cross-origin data theft through document.getSelection()
Impact: Moderate
Announced: October 27, 2009
Reporter: Gregory Fleischer
Products: Firefox 3

Fixed in: Firefox 3.5.4
  Firefox 3.0.15

This vulnerability does not affect products based on the older Gecko 1.8 engine such as Firefox 2 or SeaMonkey 1.1

Description

Security researcher Gregory Fleischer reported that text within a selection on a web page can be read by JavaScript in a different domain using the document.getSelection function, violating the same-origin policy. Since this vulnerability requires user interaction to exploit, its severity was determined to be moderate.

References