Mozilla Firefox / Thunderbird / SeaMonkey "Location" Object Multiple Vulnerabilities
Updated: October 29, 2012
Severity Rating: High
Some vulnerabilities have been reported in Mozilla Firefox, Thunderbird, and SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks.
The description of the vulnerabilities are detailed below:
1) An error when handling the "window.location"object can be exploited to shadow the object and conduct cross-site scripting attacks.
2) An error within the "CheckURL()" function of the "window.location" object can be exploited to return the wrong calling document and principal and conduct cross-site scripting attacks.
3) An error within the handling of the Location object can be exploited to bypass security wrapper protection and access the Location object of other domains.
The vulnerabilities are reported in the following products:
* Mozilla Firefox and Thunderbird versions prior to 16.0.2.
* Mozilla Firefox ESR and Thunderbird ESR versions prior to 10.0.10.
* Mozilla SeaMonkey versions prior to 2.13.2.
- Mozilla Firefox 10.X
- Mozilla Firefox 16.X
- Mozilla SeaMonkey 2.X
- Mozilla Thunderbird 10.X
- Mozilla Thunderbird 16.X
Users are advised to apply updates.
More information about the update is available on:
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street