Bugzilla@Mozilla – Bug 585284
XSS using SJOW's scripted function
Last modified: 2010-09-27 18:31:51 PDT
Summon comment box
1.9.1 branch has a similar problem to bug 584180. On 1.9.1, SJOW creates a scripted function that can be abused. If a scripted function's parent is an outer window, an array that is created in that function comes from a current inner window.
Created attachment 463776 [details] testcase This tries to get cookies for www.apple.com. This works on 1.9.1.
Created attachment 464682 [details] [review] Patch
Comment on attachment 464682 [details] [review] Patch I don't actually know what release this should go in.
Comment on attachment 464682 [details] [review] Patch a=LegNeato for 1.9.1.12
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/28e2ed70bd32