Mozilla Foundation Security Advisory 2010-04

XSS due to window.dialogArguments being readable cross-domain

Announced
February 17, 2010
Reporter
Hidetake Jo, TippingPoint ZDI
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.0.18
  • Firefox 3.5.8
  • Firefox 3.6
  • SeaMonkey 2.0.3

Description

Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and could result in a website running untrusted JavaScript if it assumed the dialogArguments could not be initialized by another site.

An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla.

References