Mozilla Foundation Security Advisory 2009-18

Type securityvulns
Reporter Securityvulns
Modified 2009-04-23T00:00:00


Mozilla Foundation Security Advisory 2009-18

Title: XSS hazard using third-party stylesheets and XBL bindings Impact: Low Announced: April 21, 2009 Reporter: Cefn Hoile Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.9 Description

Web developer Cefn Hoile reported that sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To mitigate this risk Mozilla added a restriction that requires XBL bindings to come from the same origin as the bound document.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. References

* CVE-2009-1308