You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-12

Mozilla Foundation Security Advisory 2010-12

Title: XSS using addEventListener and setTimeout on a wrapped object
Impact: High
Announced: March 23, 2010
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.2
Firefox 3.5.8
  Firefox 3.0.18
  Thunderbird 3.0.2
  SeaMonkey 2.0.3


Mozilla security researcher moz_bug_r_a4 reports that by using an appropriately wrapped object it was possible to bypass the fix for MFSA 2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform cross-site scripting attacks against arbitrary sites as in the original MFSA 2007-19 attack. Due to unrelated changes in the browser engine used by Firefox 3.6, attacks in that version are limited to capturing keystroke events from a cross-origin frame or window rather than full DOM access. Those events might be sufficient to illicitly obtain passwords or other sensitive information entered into web forms.

Thunderbird does not allow JavaScript to run in mail messages, but users who open web content (such as RSS feeds, or other content through add-ons) could be at risk.