Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2010-1585

Source

Mozilla Foundation Security Advisory 2011-08

ParanoidFragmentSink allows javascript: URLs in chrome documents

Announced

March 1, 2011

Reporter

Roberto Suggi Liverani

Impact

Moderate

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.5.17
Firefox 3.6.14
SeaMonkey 2.0.12
Thunderbird 3.1.8

Description

Security researcher Roberto Suggi Liverani reported that ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any released products, extension code could have potentially used it in an unsafe manner.

References

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ParanoidFragmentSink allows javascript: URLs in chrome documents

ParanoidFragmentSink allows javascript: URLs in chrome documents

Description

References

Vulmon Search

About

Products

Connect