Mozilla Foundation Security Advisory 2008-65

Mozilla Foundation Security Advisory 2008-65

Title: Cross-domain data theft via script redirect error message
Impact: High
Announced: December 16, 2008
Reporter: Chris Evans
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.5
Firefox 2.0.0.19
Thunderbird 2.0.0.19
SeaMonkey 1.1.14
Description

Google security researcher Chris Evans reported that a website could access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript. Upon attempting to load the data as JavaScript a syntax error is generated that can reveal some of the file context via the window.onerror DOM API.

This issue could be used by a malicious website to steal private data from users who are authenticated on the redirected website. How much data could be at risk would depend on the format of the data and how the JavaScript parser attempts to interpret it. For most files the amount of data that can be recovered would be limited to the first word or two. Some data files might allow deeper probing with repeated loads.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.
Workaround

Disable JavaScript until a version containing these fixes can be installed.
References

* https://bugzilla.mozilla.org/show_bug.cgi?id=461735
* CVE-2008-5507