XSS using a chrome XBL method and window.eval

ID MFSA2009-02
Type mozilla
Reporter Mozilla Foundation
Modified 2009-02-03T00:00:00


Mozilla security researcher moz_bug_r_a4 reported that a chrome XBL method can be used in conjuction with window.eval to execute arbitrary JavaScript within the context of another website, violating the same origin policy. Firefox 2 releases are not affected.