Skip Ribbon Commands
Skip to main content
Computer Security Incident Response Team of Mauritius (CERT-MU)

CERT-MU AD-2012-29

Mozilla Firefox / Thunderbird / SeaMonkey "Location" Object Multiple Vulnerabilities
 
Updated: October 29, 2012
 
Severity Rating: High
 
Overview
Some vulnerabilities have been reported in Mozilla Firefox, Thunderbird, and SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks.
 
Description
The description of the vulnerabilities are detailed below:

1) An error when handling the "window.location"object can be exploited to shadow the object and conduct cross-site scripting attacks.

2) An error within the "CheckURL()" function of the "window.location" object can be exploited to return the wrong calling document and principal and conduct cross-site scripting attacks.

3) An error within the handling of the Location object can be exploited to bypass security wrapper protection and access the Location object of other domains.

The vulnerabilities are reported in the following products:
* Mozilla Firefox and Thunderbird versions prior to 16.0.2.
* Mozilla Firefox ESR and Thunderbird ESR versions prior to 10.0.10.
* Mozilla SeaMonkey versions prior to 2.13.2.
 
Affected Systems
  • Mozilla Firefox 10.X
  • Mozilla Firefox 16.X
  • Mozilla SeaMonkey 2.X
  • Mozilla Thunderbird 10.X
  • Mozilla Thunderbird 16.X
 
Solution
Users are advised to apply updates.
 
More information about the update is available on:
 
CVE Information
 
 
 
 
References
 
 
Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.
 
Contact Information
E-mail:
 
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis