Multiple Mozilla products JavaScript URL redirect information disclosure
| mozilla-javascripturl-infor-disclosure (47413) |  Low Risk |
Description:
Multiple Mozilla products, including Firefox, Thunderbird and SeaMonkey could allow a remote attacker to bypass cross-domain security restrictions, caused by an error when processing JavaScript URLs redirecting the browser to an off-domain target that returns non-JavaScript data. By persuading a victim to visit a specially-crafted Web site, a remote attacker could bypass same-origin policy restrictions using the window.onerror DOM API to gain unauthorized access to other domains and obtain sensitive information from the system.
*CVSS:
| Base Score: | 4.3 |
| Access Vector: | Network |
| Access Complexity: | Medium |
| Authentication: | None |
| Confidentiality Impact: | Partial |
| Integrity Impact: | None |
| Availability Impact: | None |
| Temporal Score: | 3.2 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Obtain Information
Remedy:
Refer to MFSA 2008-65 for patch, upgrade or suggested workaround information. See References.
For other distributions:
Apply the appropriate update for your system. See References.
References:
- Bugzilla@Mozilla - Bug 461735: Security: theft of strings cross-domain with redirect,