Mozilla developer Blake Kaplan reported
that setTimeout
, when called with certain object
parameters which should be protected with
a XPCNativeWrapper
, will fail to keep the object wrapped
when compiling the new function to be executed. If chrome privileged
code were to call setTimeout
using this
as
an argument, the this
object will lose its wrapper and
could be unsafely accessed by chrome code. An attacker could use such
vulnerable code to run arbitrary JavaScript with chrome
privileges.
Disable JavaScript until a version containing this fix can be installed.