You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-22
Mozilla Foundation Security Advisory 2009-22
Title: Firefox allows Refresh header to redirect to javascript: URIs
Impact: Moderate
Announced: April 21, 2009
Reporter: Michael
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.0.9
Description
Mozilla community member Michael reported that
when a server responds with a Refresh
header containing a
javascript: URI, Firefox will redirect to the javascript: URI. If an
attacker could inject a Refresh
header into a server
response, or could control the value that a site places in
the Refresh
header, they could use this vulnerability to
perform an XSS attack and execute arbitrary JavaScript within the
context of that site.