You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-69
Mozilla Foundation Security Advisory 2010-69
Title: Cross-site information disclosure via modal calls
Impact: High
Announced: October 19, 2010
Reporter: Eduardo Vela Nava
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.11
Firefox 3.5.14
Thunderbird 3.1.5
Thunderbird 3.0.9
SeaMonkey 2.0.9
Description
Security researcher Eduardo Vela Nava reported that
if a web page opened a new window and used a javascript: URL to make a
modal call, such as alert()
, then subsequently navigated
the page to a different domain, once the modal call returned the
opener of the window could get access to objects in the navigated
window. This is a violation of the same-origin policy and could be
used by an attacker to steal information from another web site.