Mozilla Firefox and Thunderbird is vulnerable to cross-site scripting (XSS). The use of valueOf
method to shadow the location object window.location
is not prevented, allowing for remote attackers to inject arbitrary Javascript into a victim’s web browser via a malicious plugin.
lists.opensuse.org/opensuse-security-announce/2012-10/msg00019.html
lists.opensuse.org/opensuse-security-announce/2012-10/msg00025.html
rhn.redhat.com/errata/RHSA-2012-1407.html
rhn.redhat.com/errata/RHSA-2012-1413.html
secunia.com/advisories/51121
secunia.com/advisories/51123
secunia.com/advisories/51127
secunia.com/advisories/51144
secunia.com/advisories/51146
secunia.com/advisories/51147
secunia.com/advisories/51165
secunia.com/advisories/55318
www.mozilla.org/security/announce/2012/mfsa2012-90.html
www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
www.securityfocus.com/bid/56301
www.ubuntu.com/usn/USN-1620-1
www.ubuntu.com/usn/USN-1620-2
access.redhat.com/security/updates/classification/#critical
bugzilla.mozilla.org/show_bug.cgi?id=800666
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16918
rhn.redhat.com/errata/RHSA-2012-1407.html