Security researcher Mario Heiderich reported that javascript
could be executed in the HTML feed-view using <embed>
tag
within the RSS <description>
. This problem is due to
<embed>
tags not being filtered out during parsing and can
lead to a potential cross-site scripting (XSS) attack. The flaw existed in a
parser utility class and could affect other parts of the browser or add-ons
which rely on that class to sanitize untrusted input.