Mozilla Foundation Security Advisory 2010-04

XSS due to window.dialogArguments being readable cross-domain

Announced

February 17, 2010

Reporter

Hidetake Jo, TippingPoint ZDI

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 3.0.18
Firefox 3.5.8
Firefox 3.6
SeaMonkey 2.0.3

Description

Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and could result in a website running untrusted JavaScript if it assumed the dialogArguments could not be initialized by another site.

An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=504862
CVE-2009-3988

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2010-04

XSS due to window.dialogArguments being readable cross-domain

Description

References