Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2010-20

Chrome privilege escalation via forced URL drag and drop

Announced
March 30, 2010
Reporter
Paul Stone
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.0.19
  • Firefox 3.5.9
  • Firefox 3.6.2
  • SeaMonkey 2.0.4

Description

Security researcher Paul Stone reported that a browser applet could be used to turn a simple mouse click into a drag-and-drop action, potentially resulting in the unintended loading of resources in a user's browser. This behavior could be used twice in succession to first load a privileged chrome: URL in a victim's browser, then load a malicious javascript: URL on top of the same document resulting in arbitrary script execution with chrome privileges.

References