javascript: Livefeed bookmarks can steal cookies

ID MFSA2005-12
Type mozilla
Reporter Mozilla Foundation
Modified 2005-01-21T00:00:00


Earlier versions of Firefox allowed javascript: and data: URLs as Livefeed bookmarks. When they updated the URL would be run in the context of the current page and could be used to steal cookies or data displayed on the page. If the user were on a page with elevated privileges (for example, about:config) when the Livefeed was updated, the feed URL could potentially run arbitrary code on the user's machine.