Mozilla Foundation Security Advisory 2006-08

"AnyName" entrainment and access control hazard

Announced

February 1, 2006

Reporter

Brendan Eich

Impact

Low

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 1.5.0.1
SeaMonkey 1
Thunderbird 1.5.0.2

Description

The implementation of E4X introduced an internal "AnyName" object which was unintentionally exposed to web content. This singleton object could be used by two cooperating domains as a communication channel to get around same-origin restrictions that prevent direct access from one window or frame to another. This could not be used to violate same-origin protection of another window's content, it was simply a mutually accessible storage spot. E4X was not supported in Firefox 1.0 or Mozilla 1.7

Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail. This is not the default setting and we strongly discourage users from turning on JavaScript in mail. Thunderbird is not vulnerable in its default configuration.

Update (13 April 2006)
This flaw has been fixed in Thunderbird 1.5.0.2

Workaround

Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or SeaMonkey mail.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=322312
CVE-2006-0299

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice