CVE-2009-3988 Information

Description

Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8 and SeaMonkey before 2.0.3 does not properly restrict read access to object properties in showModalDialog which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.

Reference

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035346.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035367.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035426.html http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00001.html http://secunia.com/advisories/37242 http://secunia.com/advisories/38847 http://www.debian.org/security/2010/dsa-1999 http://www.mandriva.com/security/advisories?name=MDVSA-2010:042 http://www.mozilla.org/security/announce/2010/mfsa2010-04.html http://www.redhat.com/support/errata/RHSA-2010-0112.html http://www.ubuntu.com/usn/USN-895-1 http://www.ubuntu.com/usn/USN-896-1 http://www.vupen.com/english/advisories/2010/0405 https://bugzilla.mozilla.org/show_bug.cgi?id=504862 https://exchange.xforce.ibmcloud.com/vulnerabilities/56362 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A8355 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A9384