Mozilla Foundation Security Advisory 2008-61
Title: Information stealing via loadBindingDocument
Impact: Moderate
Announced: December 16, 2008
Reporter: Boris Zbarsky
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 2.0.0.19
Thunderbird 2.0.0.19
SeaMonkey 1.1.14
Description
Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:
Firefox 3 is not affected by this issue.
Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.
Workaround
Products built from the Mozilla 1.9.0 branch and later, Firefox 3 for example, are not affected by this issue. Upgrading to one of these products is a reliable workaround for this particular issue and it is also Mozilla's recommendation that the most current version of any Mozilla product be used. Alternatively, you can disable JavaScript until a version containing these fixes can be installed.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=379959
* CVE-2008-5503