Mozilla Foundation Security Advisory 2012-100
Title: Improper security filtering for cross-origin wrappers
Announced: November 20, 2012
Reporter: Bobby Holley
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 17.0
Firefox ESR 10.0.11
Thunderbird ESR 10.0.11
Mozilla developer Bobby Holley reported that security wrappers filter at the time of property access, but once a function is returned, the caller can use this function without further security checks. This affects cross-origin wrappers, allowing for write actions on objects when only read actions should be properly allowed. This can lead to cross-site scripting (XSS) attacks.
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.