Fixes for Location object issues

2012-10-26T00:00:00
ID MFSA2012-90
Type mozilla
Reporter Mozilla Foundation
Modified 2012-10-26T00:00:00

Description

Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below.

Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content. Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.