Multiple Mozilla products JavaScript URL redirect information disclosure

mozilla-javascripturl-infor-disclosure (47413) The risk level is classified as LowLow Risk

Description:

Multiple Mozilla products, including Firefox, Thunderbird and SeaMonkey could allow a remote attacker to bypass cross-domain security restrictions, caused by an error when processing JavaScript URLs redirecting the browser to an off-domain target that returns non-JavaScript data. By persuading a victim to visit a specially-crafted Web site, a remote attacker could bypass same-origin policy restrictions using the window.onerror DOM API to gain unauthorized access to other domains and obtain sensitive information from the system.

*CVSS:

Base Score: 4.3
  Access Vector: Network
  Access Complexity: Medium
  Authentication: None
  Confidentiality Impact: Partial
  Integrity Impact: None
  Availability Impact: None
 
Temporal Score: 3.2
  Exploitability: Unproven
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Obtain Information

Remedy:

Refer to MFSA 2008-65 for patch, upgrade or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References:

  • Bugzilla@Mozilla - Bug 461735: Security: theft of strings cross-domain with redirect,