Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.
CPE | Name | Operator | Version |
---|---|---|---|
firefox | lt | 3.5.12 | |
firefox | lt | 3.6.9 | |
seamonkey | lt | 2.0.7 | |
thunderbird | lt | 3.0.7 | |
thunderbird | lt | 3.1.3 |