"AnyName" entrainment and access control hazard — Mozilla

2006-02-0100:00:00

Mozilla Foundation

www.mozilla.org

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

AI Score

Confidence

Low

EPSS

0.17

Percentile

96.1%

JSON

The implementation of E4X introduced an internal “AnyName” object which was unintentionally exposed to web content. This singleton object could be used by two cooperating domains as a communication channel to get around same-origin restrictions that prevent direct access from one window or frame to another. This could not be used to violate same-origin protection of another window’s content, it was simply a mutually accessible storage spot. E4X was not supported in Firefox 1.0 or Mozilla 1.7

Affected configurations

Vulners

Node

mozillafirefoxRange<1.5.0.1

mozillaseamonkeyRange<1

mozillathunderbirdRange<1.5.0.2

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	seamonkey	*	cpe:2.3:a:mozilla:seamonkey::::::::
mozilla	thunderbird	*	cpe:2.3:a:mozilla:thunderbird::::::::