Mozilla Foundation Security Advisory 2012-90
Title: Fixes for Location object issues
Announced: October 26, 2012
Reporter: Mariusz Mlynski, moz_bug_r_a4, Antoine Delignat-Lavaud
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 16.0.2
Firefox ESR 10.0.10
Thunderbird ESR 10.0.10
Mozilla has fixed a number of issues related to the
Location object in order to enhance overall security. Details for each of the current fixed issues are below.
Thunderbird is only affected by
window.location issues through RSS feeds and extensions that load web content.
Security researcher Mariusz Mlynski reported that the true value of
window.location could be shadowed by user content through the use of the
valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.
Mozilla security researcher moz_bug_r_a4 discovered that the
CheckURL function in
window.location can be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content.
Security researcher Antoine Delignat-Lavaud of the PROSECCO research team at INRIA Paris reported the ability to use property injection by prototype to bypass security wrapper protections on the
Location object, allowing the cross-origin reading of the