Mozilla Foundation Security Advisory 2008-61

Mozilla Foundation Security Advisory 2008-61

Title: Information stealing via loadBindingDocument
Impact: Moderate
Announced: December 16, 2008
Reporter: Boris Zbarsky
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 2.0.0.19
Thunderbird 2.0.0.19
SeaMonkey 1.1.14
Description

Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:

1. The target document requires a <bindingsi> element in the XBL namespace in order to be read.
2. The reader of the data needs to know the id attribute of the binding being read in advance.
3. It is unlikely that web services will expose private data in the manner described above.

Firefox 3 is not affected by this issue.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.
Workaround

Products built from the Mozilla 1.9.0 branch and later, Firefox 3 for example, are not affected by this issue. Upgrading to one of these products is a reliable workaround for this particular issue and it is also Mozilla's recommendation that the most current version of any Mozilla product be used. Alternatively, you can disable JavaScript until a version containing these fixes can be installed.
References

* https://bugzilla.mozilla.org/show_bug.cgi?id=379959
* CVE-2008-5503