Mozilla Foundation Security Advisory 2007-08
onUnload + document.write() memory corruption
- Announced
- February 25, 2007
- Reporter
- Michal Zalewski
- Impact
- Critical
- Products
- Firefox, SeaMonkey
- Fixed in
-
- Firefox 1.5.0.10
- Firefox 2.0.0.2
- SeaMonkey 1.0.8
Description
Michal Zalewski reported a memory corruption vulnerability in Firefox 2.0.0.1 involving mixing the onUnload event handler and self-modifying document.write() calls. This flaw was introduced in Firefox 2.0.0.1 and 1.5.0.9 and does not affect earlier versions; it is fixed in Firefox 2.0.0.2 and 1.5.0.10
Workaround
Disable JavaScript until a fixed version can be installed.