You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-03

Mozilla Foundation Security Advisory 2012-03

Title: <iframe> element exposed across domains via name attribute
Impact: High
Announced: January 31, 2012
Reporter: Vitaly Nevgen
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 10.0
  Thunderbird 10.0
  SeaMonkey 2.7


Vitaly Nevgen reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.