Mozilla Foundation Security Advisory 2010-14

Mozilla Foundation Security Advisory 2010-14

Title: Browser chrome defacement via cached XUL stylesheets
Impact: Low
Announced: March 23, 2010
Reporter: Wladimir Palant
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.2
Firefox 3.5.8
Firefox 3.0.18
Thunderbird 3.0.2
SeaMonkey 2.0.3
Description

Mozilla developer Wladimir Palant reported that stylesheets used in remote XUL documents can wind up in the XUL cache where it can later be accessed by browser chrome for use in styling the user interface. A malicious website could use this issue to pollute a user's XUL cache and change style attributes of their browser such as font size and color.
References

* https://bugzilla.mozilla.org/show_bug.cgi?id=535806
* CVE-2010-0169