• Roadmap
• Projects
• Coding
  • Module Owners
  • Hacking
  • Get the Source
  • Build It
• Testing
  • Releases
  • Nightly Builds
  • Report A Bug
• Tools
  • Bugzilla
  • Tinderbox
  • Bonsai
  • LXR
• FAQs

Mozilla Foundation Security Advisory 2005-39

Title: Arbitrary code execution from Firefox sidebar panel II
Severity: Critical
Reporter: Kohei Yoshino
Products: Firefox

Fixed in: Firefox 1.0.3

Description

Sites can use the _search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page (such as about:config) and then inject script using a javascript: url. This could be used to install malicious code or steal data without user interaction.

Workaround

Disable Javascript

References

https://bugzilla.mozilla.org/show_bug.cgi?id=290079

---