Mozilla Foundation Security Advisory 2006-43

Privilege escalation using addSelectionListener

Announced

June 1, 2006

Reporter

moz_bug_r_a4

Impact

Critical

Products

Firefox, SeaMonkey

Fixed in

Firefox 1.5.0.4
SeaMonkey 1.0.2

Description

Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox in MFSA 2006-31 and content-defined DOM setters in MFSA 2006-37 moz_bug_r_a4 figured a way to leverage the fact that the notifications were created in a privileged context into arbitrary code execution.

Workaround

Disable JavaScript until you've upgraded to a fixed version.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=336830
CVE-2006-2777

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice