|Subject:||Mozilla Foundation Security Advisory 2008-61|
Mozilla Foundation Security Advisory 2008-61
Title: Information stealing via loadBindingDocument
Announced: December 16, 2008
Reporter: Boris Zbarsky
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 188.8.131.52
Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:
1. The target document requires a <bindingsi> element in the XBL namespace in order to be read.
2. The reader of the data needs to know the id attribute of the binding being read in advance.
3. It is unlikely that web services will expose private data in the manner described above.
Firefox 3 is not affected by this issue.