Mozilla Foundation Security Advisory 2009-20

Malicious search plugins can inject code into arbitrary sites

Announced

April 21, 2009

Reporter

Prateek Saxena

Impact

Low

Products

Firefox

Fixed in

Firefox 3.0.9

Description

Security researcher Prateek Saxena reported that a malicious MozSearch plugin could be created using a javascript: URI in the SearchForm value. This URI is used as the default landing page when an empty search is performed. If an attacker could get a user to install the malicious plugin and perform an empty search, the SearchForm javascript: URI would be executed within the context of the currently open page.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=483086
CVE-2009-1310

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2009-20

Malicious search plugins can inject code into arbitrary sites

Description

References