Mozilla Foundation Security Advisory 2009-18

XSS hazard using third-party stylesheets and XBL bindings

Announced
April 21, 2009
Reporter
Cefn Hoile
Impact
Low
Products
Firefox
Fixed in
  • Firefox 3.0.9

Description

Web developer Cefn Hoile reported that sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To mitigate this risk Mozilla added a restriction that requires XBL bindings to come from the same origin as the bound document.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.

References