Mozilla Foundation Security Advisory 2012-46
Title: XSS through data: URLs
Announced: July 17, 2012
Fixed in: Firefox 14
Firefox ESR 10.0.6
Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a
data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a
data: URL, allowing for XSS. This can lead to arbitrary code execution.