Mozilla Foundation Security Advisory 2012-03

2012-02-03T00:00:00
ID SECURITYVULNS:DOC:27602
Type securityvulns
Reporter Securityvulns
Modified 2012-02-03T00:00:00

Description

Mozilla Foundation Security Advisory 2012-03

Title: <iframe> element exposed across domains via name attribute Impact: High Announced: January 31, 2012 Reporter: Alex Dvorov Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 10.0 Thunderbird 10.0 SeaMonkey 2.7 Description

Alex Dvorov reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability

References

<iframe> element is exposed across domains by its name attribute CVE-2012-0445 Security navigation section of the HTML5 specification