Mozilla Foundation Security Advisory 2012-03

Type securityvulns
Reporter Securityvulns
Modified 2012-02-03T00:00:00


Mozilla Foundation Security Advisory 2012-03

Title: <iframe> element exposed across domains via name attribute Impact: High Announced: January 31, 2012 Reporter: Alex Dvorov Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 10.0 Thunderbird 10.0 SeaMonkey 2.7 Description

Alex Dvorov reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability


<iframe> element is exposed across domains by its name attribute CVE-2012-0445 Security navigation section of the HTML5 specification