The following vulnerabilities were found and fixed in the Mozilla Suite
and Mozilla Firefox:
Vladimir V. Perepelitsa reported a memory disclosure bug in
JavaScript's regular expression string replacement when using an
anonymous function as the replacement argument (CAN-2005-0989).
moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM
nodes from the content window, allowing privilege escalation via DOM
property overrides.
Michael Krax reported a possibility to run JavaScript code with
elevated privileges through the use of javascript: favicons.
Michael Krax also discovered that malicious Search plugins could
run JavaScript in the context of the displayed page or stealthily
replace existing search plugins.
shutdown discovered a technique to pollute the global scope of a
window in a way that persists from page to page.
Doron Rosenberg discovered a possibility to run JavaScript with
elevated privileges when the user asks to "Show" a blocked popup that
contains a JavaScript URL.
Finally, Georgi Guninski reported missing Install object instance
checks in the native implementations of XPInstall-related JavaScript
objects.
The following Firefox-specific vulnerabilities have also been
discovered:
Kohei Yoshino discovered a new way to abuse the sidebar panel to
execute JavaScript with elevated privileges.
Omar Khan reported that the Plugin Finder Service can be tricked to
open javascript: URLs with elevated privileges.
