You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-69

Mozilla Foundation Security Advisory 2010-69

Title: Cross-site information disclosure via modal calls
Impact: High
Announced: October 19, 2010
Reporter: Eduardo Vela Nava
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.11
  Firefox 3.5.14
  Thunderbird 3.1.5
  Thunderbird 3.0.9
  SeaMonkey 2.0.9


Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site.