FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

firefox -- arbitrary code execution in sidebar panel

Affected packages
firefox < 1.0.3,1
linux-firefox < 1.0.3


VuXML ID 1f2fdcff-ae60-11d9-a788-0001020eed82
Discovery 2005-04-12
Entry 2005-04-16

A Mozilla Foundation Security Advisory reports:

Sites can use the _search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page (such as about:config) and then inject script using a javascript: url. This could be used to install malicious code or steal data without user interaction.

Workaround: Disable Javascript