Mozilla Foundation Security Advisory 2012-16

Escalation of privilege with Javascript: URL as home page

Announced

March 13, 2012

Reporter

Mariusz Mlynski

Impact

Critical

Products

Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR

Fixed in

Firefox 11
Firefox 3.6.28
Firefox ESR 10.0.3
SeaMonkey 2.8
Thunderbird 11
Thunderbird 3.1.20
Thunderbird ESR 10.0.3

Description

Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context.

References

loads of principal-inheriting URIs (e.g. javascript:) on chrome-privileged pages (e.g. about:sessionstore) allows unexpected privilege escalation
prevent self-XSS in homepage icon (disallow javascript: drops)
disallow inheriting of system principal in type=content docshells
CVE-2012-0458

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2012-16

Escalation of privilege with Javascript: URL as home page

Description

References