Mozilla Foundation Security Advisory 2009-70

Privilege escalation via chrome window.opener

Announced

December 15, 2009

Reporter

David James

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 3.0.16
Firefox 3.5.6
SeaMonkey 2.0.1

Description

Security researcher David James reported that a content window which is opened by a chrome window retains a reference to the chrome window via the window.opener property. Using this reference, content in the new window can access functions inside the chrome window, such as eval, and use these functions to run arbitrary JavaScript code with chrome privileges. In a stock Mozilla browser a remote attacker can not cause these application dialogs to appear nor to automatically load the attack code that takes advantage of this flaw in window.opener. There may be add-ons which open potentially hostile web-content in this way, and combined with such an add-on the severity of this flaw could be upgraded to Critical.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=522430
CVE-2009-3986

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog