You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-46
Mozilla Foundation Security Advisory 2010-46
Title: Cross-domain data theft using CSS
Impact: Moderate
Announced: July 20, 2010
Reporter: Chris Evans
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.7
Firefox 3.5.11
Thunderbird 3.1.1
Thunderbird 3.0.6
SeaMonkey 2.0.6
Description
Google security researcher Chris Evans reported
that data can be read across domains by injecting bogus CSS selectors
into a target site and then retrieving the data using JavaScript APIs.
If an attacker can inject opening and closing portions of a CSS
selector into points A and B of a target page, then the region between
the two injection points becomes readable to JavaScript through, for
example, the getComputedStyle()
API.