Mozilla Firefox window.onerror DOM API Lets Remote Users Obtain Potentially Sensitive Information
|
|
SecurityTracker Alert ID: 1021423
|
|
SecurityTracker URL: http://securitytracker.com/id?1021423
|
|
CVE Reference: CVE-2008-5507
(Links to External Site)
|
Updated: Dec 19 2008
|
Original Entry Date: Dec 17 2008
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Mozilla Foundation Security Advisory
|
Version(s): 2.x prior to 2.0.0.20; 3.x prior to 3.0.5
|
Description: A vulnerability was reported in Mozilla Firefox. A remote user can obtain potentially sensitive information.
A remote user can create a specially crafted same-domain JavaScript URL that, when loaded by the target user, will redirect to an
off-domain target resource on the target user's system and access potentially sensitive information via the window.onerror DOM API.
Thunderbird
and SeaMonkey are affected.
Chris Evans of Google Security Team reported this vulnerability.
|
Impact: A remote user can obtain potentially sensitive information.
|
Solution: The vendor has issued a fix (2.0.0.20, 3.0.5).
[Editor's note: Mozilla originally issued 2.0.0.19, but the Windows version 2.0.0.19
did not include the fix. A new fixed version 2.0.0.20 was issued on December 18, 2008.]
The vendor's advisory is available at:
http://www.mozilla.org/security/anno
unce/2008/mfsa2008-65.html
|
Vendor URL: www.mozilla.org/security/announce/2008/mfsa2008-65.html (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 17 Dec 2008 00:48:58 -0500
Subject: http://www.mozilla.org/security/announce/2008/mfsa2008-65.html
|
Mozilla Firefox
CVE-2008-5507
|
|
