Mozilla Foundation Security Advisory 2011-08

ParanoidFragmentSink allows javascript: URLs in chrome documents

Announced
March 1, 2011
Reporter
Roberto Suggi Liverani
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.17
  • Firefox 3.6.14
  • SeaMonkey 2.0.12
  • Thunderbird 3.1.8

Description

Security researcher Roberto Suggi Liverani reported that ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any released products, extension code could have potentially used it in an unsafe manner.

References