You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-62

Mozilla Foundation Security Advisory 2010-62

Title: Copy-and-paste or drag-and-drop into designMode document allows XSS
Impact: Moderate
Announced: September 7, 2010
Reporter: Paul Stone
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.9
  Firefox 3.5.12
  Thunderbird 3.1.3
  Thunderbird 3.0.7
  SeaMonkey 2.0.7


Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.