Sites can use the _search target to open links in the Firefox sidebar. Two
missing security checks allow malicious scripts to first open a privileged page
(such as about:config) and then inject script using a javascript: url. This
could be used to install malicious code or steal data without user interaction.
Sites can use the _search target to open links in the Firefox sidebar. Two
missing security checks allow malicious scripts to first open a privileged page
(such as about:config) and then inject script using a javascript: url. This
could be used to install malicious code or steal data without user interaction.
Fixed in: Firefox 1.0.3 / Mozilla Suite 1.7.7
Workaround: Disable Javascript
References:
- https:/ /bugzilla. mozilla. org/show_ bug.cgi? id=290079