Mozilla Foundation Security Advisory 2011-38

XSS via plugins and shadowed window.location object

Announced

September 27, 2011

Reporter

Boris Zbarsky

Impact

High

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.6.23
Firefox 6
SeaMonkey 2.3
Thunderbird 3.1.15
Thunderbird 6

Description

Mozilla developer Boris Zbarsky reported that a frame named "location" could shadow the window.location object unless a script in a page grabbed a reference to the true object before the frame was created. Because some plugins use the value of window.location to determine the page origin this could fool the plugin into granting the plugin content access to another site or the local file system in violation of the Same Origin Policy. This flaw allows circumvention of the fix added for MFSA 2010-10.

References

Named frames can shadow window.location sometimes
CVE-2011-2999

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2011-38

XSS via plugins and shadowed window.location object

Description

References