Vulnerability Note VU#911004
Mozilla Firefox fails to properly handle the "XPCNativeWrapper(window).Function(...)"
Certain Mozilla products contain a cross-site scripting vulnerability because of a vulnerability in the XPCNativeWrapper function.
Per Mozilla, XPCNativeWrapper is a way to wrap up an object so that it is safe to access from privileged code. It is used to allow chrome code to access DOM objects.
By convincing a victim to view an HTML document (web page), an attacker could evaluate script in a different security domain than the one containing the attacker's document. The attacker could read or modify data in other web sites (read cookies/content, modify/create content, etc.). If the script is evaluated with chrome privileges, an attacker could execute arbitrary commands on the user's system.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Mozilla, Inc.||Affected||-||01 Aug 2006|
CVSS Metrics (Learn More)
Thanks to Mozilla for reporting this vulnerability. Mozilla in turn thanks shutdown.
This document was written by Ryan Giobbi.
- CVE IDs: CVE-2006-3810
- Date Public: 25 Jul 2006
- Date First Published: 01 Aug 2006
- Date Last Updated: 09 Feb 2007
- Severity Metric: 2.74
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.