mozilla -- code execution through javascript: favicons
Description:
A Mozilla Foundation Security Advisory reports:
Firefox and the Mozilla Suite support custom "favicons"
through the <LINK rel="icon"> tag. If a link tag is added
to the page programmatically and a javascript: url is
used, then script will run with elevated privileges and
could run or install malicious software.
Workaround: Disable Javascript
References:
Affects:
- firefox <1.0.3,1
- linux-firefox <1.0.3
- mozilla <1.7.7,2
- mozilla >=1.8.*,2
- linux-mozilla <1.7.7
- linux-mozilla >=1.8.*
- linux-mozilla-devel <1.7.7
- linux-mozilla-devel >=1.8.*
- netscape7 >=0
- de-linux-mozillafirebird >=0
- el-linux-mozillafirebird >=0
- ja-linux-mozillafirebird-gtk1 >=0
- ja-mozillafirebird-gtk2 >=0
- linux-mozillafirebird >=0
- ru-linux-mozillafirebird >=0
- zhCN-linux-mozillafirebird >=0
- zhTW-linux-mozillafirebird >=0
- de-linux-netscape >=0
- de-netscape7 >=0
- fr-linux-netscape >=0
- fr-netscape7 >=0
- ja-linux-netscape >=0
- ja-netscape7 >=0
- linux-netscape >=0
- linux-phoenix >=0
- mozilla+ipv6 >=0
- mozilla-embedded >=0
- mozilla-firebird >=0
- mozilla-gtk1 >=0
- mozilla-gtk2 >=0
- mozilla-gtk >=0
- mozilla-thunderbird >=0
- phoenix >=0
- pt_BR-netscape7 >=0
portaudit: mozilla -- code execution through javascript: favicons
Disclaimer: The data contained on this page is derived from the VuXML document,
please refer to the the original document for copyright information. The author of
portaudit makes no claim of authorship or ownership of any of the information contained herein.
If you have found a vulnerability in a FreeBSD port not listed in the
database, please contact the
FreeBSD Security Officer. Refer to
"FreeBSD Security
Information" for more information.
Oliver Eikemeier <eik@FreeBSD.org>