FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

firefox -- arbitrary code execution in sidebar panel

Affected packages
firefox < 1.0.3,1
linux-firefox < 1.0.3

Details

VuXML ID 1f2fdcff-ae60-11d9-a788-0001020eed82
Discovery 2005-04-12
Entry 2005-04-16

A Mozilla Foundation Security Advisory reports:

Sites can use the _search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page (such as about:config) and then inject script using a javascript: url. This could be used to install malicious code or steal data without user interaction.

Workaround: Disable Javascript

References

URL http://www.mozilla.org/security/announce/mfsa2005-39.html