Cross-origin information leakage vulnerability in Firefox Modal calling

Release date:
Updated on:

Affected Systems:
Mozilla Firefox 3.6.x
Mozilla Firefox 3.5.x
Mozilla Thunderbird 3.1.x
Mozilla Thunderbird 3.0.x
Mozilla SeaMonkey <2.0.9
Unaffected system:
Mozilla Firefox 3.6.11
Mozilla Firefox 3.5.14
Mozilla Thunderbird 3.1.5
Mozilla Thunderbird 3.0.9
Mozilla SeaMonkey 2.0.9
Description:
--------------------------------------------------------------------------------
Bugtraq id: 44252
CVE (CAN) ID: CVE-2010-3178

Firefox is a very popular open-source WEB browser.

If the webpage opens a new window and uses javascript: URL to execute the modal call, such as alert (), and then the webpage is directed to different domains, then the modal call returns to the open program of the window to access the objects in the window. This violates the same-origin policy and allows users to steal sensitive information from other websites.

<* Source: Eduardo Vela Nava

Link: http://secunia.com/advisories/41244/
Http://www.mozilla.org/security/announce/2010/mfsa2010-69.html
Https://www.redhat.com/support/errata/RHSA-2010-0782.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Mozilla
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.mozilla.org/

RedHat
------
For this reason, RedHat has released a Security Bulletin (RHSA-2010: 0782-01) and patch:
The RHSA-2010: 0782-01: Critical: firefox security update
Link: https://www.redhat.com/support/errata/RHSA-2010-0782.html