You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-56

Mozilla Foundation Security Advisory 2012-56

Title: Code execution through javascript: URLs
Impact: Critical
Announced: July 17, 2012
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 14
  Firefox ESR 10.0.6
  Thunderbird 14
  Thunderbird ESR 10.0.6
  SeaMonkey 2.11


Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution.