You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-04
Mozilla Foundation Security Advisory 2010-04
Title: XSS due to window.dialogArguments being readable cross-domain
Impact: Moderate
Announced: February 17, 2010
Reporter: Hidetake Jo, TippingPoint ZDI
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.6
Firefox 3.5.8
Firefox 3.0.18
SeaMonkey 2.0.3
Description
Security researcher Hidetake Jo of Microsoft
Vulnerability Research reported that the properties set on an object
passed to showModalDialog
were readable by the document
contained in the dialog, even when the document was from a different
domain. This is a violation of the same-origin policy and could
result in a website running untrusted JavaScript if it assumed
the dialogArguments
could not be initialized by another
site.
An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla.