Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2013-107

Sandbox restrictions not applied to nested object elements

Announced
December 10, 2013
Reporter
Daniel Veditz
Impact
Low
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 26
  • SeaMonkey 2.23

Description

Mozilla security developer Daniel Veditz discovered that <iframe sandbox> restrictions are not applied to an <object> element contained within a sandboxed iframe. This could allow content hosted within a sandboxed iframe to use <object> element to bypass the sandbox restrictions that should be applied.

References