Mozilla Foundation Security Advisory 2015-09

XrayWrapper bypass through DOM objects

Announced

January 13, 2015

Reporter

Bobby Holley, Joe Vennix

Impact

Critical

Products

Firefox, SeaMonkey

Fixed in

Firefox 35
SeaMonkey 2.32

Description

Mozilla developer Bobby Holley reported that Document Object Model (DOM) objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation.

Update for February 12, 2015: Security researcher Joe Vennix of Rapid7 also reported another issue caused by this same problem. He discovered that setting a prototype to a proxy object could allow web content to open privileged window with the chrome property, allowing for escalation of privilege.

References

named getters can fool Xrays (CVE-2014-8636)
Setting prototype to a Proxy object allows content to influence chrome:// code

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-09

XrayWrapper bypass through DOM objects

Description

References