![]() There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content. ![]() Mozilla security researcher moz_bug_r_a4 discovered that the CheckURL function in window.location can be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack.Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.It is however still recommended to upgrade the email client to fix the issues at hand.īelow is a list of issues fixed in the new release: Mozilla notes that the desktop email client Thunderbird is only affected by location issues through RSS feeds or extensions that load web contents. Affected are Firefox stable releases, Firefox Extended Support Releases, Thunderbird stable and ESR, and SeaMonkey. Mozilla is currently in the process of rolling out an update for the stable version of Firefox that is brining the web browser to version 16.0.2 This is in fact the second update in this release period, the first was released shortly after Firefox 16.0 was pulled by Mozilla due to security issues found in the version.įirefox 16.0.2 fixes critical security vulnerabilities in Firefox's location object.
0 Comments
Leave a Reply. |