Mozilla Foundation Security Advisory 2010-42

2010-07-24T00:00:00
ID SECURITYVULNS:DOC:24315
Type securityvulns
Reporter Securityvulns
Modified 2010-07-24T00:00:00

Description

Mozilla Foundation Security Advisory 2010-42

Title: Cross-origin data disclosure via Web Workers and importScripts Impact: High Announced: July 20, 2010 Reporter: Yosuke Hasegawa Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.7 Firefox 3.5.11 Thunderbird 3.1.1 Thunderbird 3.0.6 SeaMonkey 2.0.6 Description

Security researcher Yosuke Hasegawa reported that the Web Worker method importScripts can read and parse resources from other domains even when the content is not valid JavaScript. This is a violation of the same-origin policy and could be used by an attacker to steal information from other sites. References

* https://bugzilla.mozilla.org/show_bug.cgi?id=568148
* CVE-2010-1213