FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mozilla -- scripting vulnerabilities

Affected packages
thunderbird < 0.8
de-linux-mozillafirebird < 1.p
el-linux-mozillafirebird < 1.p
firefox < 1.p
ja-linux-mozillafirebird-gtk1 < 1.p
ja-mozillafirebird-gtk2 < 1.p
linux-mozillafirebird < 1.p
ru-linux-mozillafirebird < 1.p
zhCN-linux-mozillafirebird < 1.p
zhTW-linux-mozillafirebird < 1.p
de-netscape7 <= 7.2
fr-netscape7 <= 7.2
ja-netscape7 <= 7.2
netscape7 <= 7.2
pt_BR-netscape7 <= 7.2
linux-mozilla < 1.7.3
linux-mozilla-devel < 1.7.3
mozilla-gtk1 < 1.7.3
mozilla < 1.7.3,2
0 <= de-linux-netscape
0 <= fr-linux-netscape
0 <= ja-linux-netscape
0 <= linux-netscape
0 <= linux-phoenix
0 <= mozilla+ipv6
0 <= mozilla-embedded
0 <= mozilla-firebird
0 <= mozilla-gtk
0 <= mozilla-gtk2
0 <= mozilla-thunderbird
0 <= phoenix


VuXML ID b2e6d1d6-1339-11d9-bc4a-000c41e2cdad
Discovery 2004-09-13
Entry 2004-09-30

Several scripting vulnerabilities were discovered and corrected in Mozilla:


javascript; links dragged onto another frame or page allows an attacker to steal or modify sensitive information from other sites. The user could be convinced to drag obscurred links in the context of a game or even a fake scrollbar. If the user could be convinced to drag two links in sequence into a separate window (not frame) the attacker would be able to run arbitrary programs.


Untrusted javascript code can read and write to the clipboard, stealing any sensitive data the user might have copied. Workaround: disable javascript


Signed scripts requesting enhanced abilities could construct the request in a way that led to a confusing grant dialog, possibly fooling the user into thinking the privilege requested was inconsequential while actually obtaining explicit permission to run and install software. Workaround: Never grant enhanced abilities of any kind to untrusted web pages.


CVE Name CVE-2004-0905
CVE Name CVE-2004-0908
CVE Name CVE-2004-0909