Chris Thomas

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 2.0.0.13 SeaMonkey versions prior to 1.1.9 **Description** A GUI overlay issue allows remote attackers to spoof form elements and redirect user inputs via a borderless XUL pop-up window from a background tab. **Recommendations** For Mozilla Firefox versions prior to 2.0.0.13, update to version 2.0.0.13 or later. For SeaMonkey versions prior to 1.1.9, update to version 1.1.9 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 1.5.x through 1.5.0.11 Mozilla Firefox versions 2.x through 2.0.0.3 SeaMonkey version 1.0.9 SeaMonkey version 1.1.2 **Description** The issue allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane. This can be leveraged for phishing and other attacks. **Recommendations** For Mozilla Firefox versions 1.5.x through 1.5.0.11, update to version 1.5.0.12 or later. For Mozilla Firefox versions 2.x through 2.0.0.3, update to version 2.0.0.4 or later. For SeaMonkey version 1.0.9, update to a version later than 1.0.9. For SeaMonkey version 1.1.2, update to a version later than 1.1.2.

**Name of the Vulnerable Software and Affected Versions** Mozilla versions prior to 1.7.12 Mozilla Firefox versions prior to 1.0.7 Netscape versions prior to 8.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `-moz-binding` CSS property. This property does not require the style sheet to have the same origin as the web page. The issue has been demonstrated by the compromise of a large number of LiveJournal accounts. **Recommendations** For Mozilla versions prior to 1.7.12, update to a version that fixes this issue. For Mozilla Firefox versions prior to 1.0.7, update to a version that fixes this issue. For Netscape versions prior to 8.1, update to a version that fixes this issue. As a temporary workaround, consider disabling the use of the `-moz-binding` CSS property until a patch is available.

Name of the Vulnerable Software and Affected Versions: Firefox version 1.0.3 Description: The issue allows remote attackers to execute arbitrary Javascript in other domains. This is achieved by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution. Recommendations: For Firefox version 1.0.3, update to a newer version to mitigate the risk.

Name of the Vulnerable Software and Affected Versions: Firefox version 1.0.3 Description: The issue allows remote web sites on the browser's whitelist to execute arbitrary Javascript with chrome privileges. This can lead to arbitrary code execution on the system when combined with other vulnerabilities. The exploitation can be demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site. Recommendations: For Firefox version 1.0.3, consider restricting access to the `install` function until a patch is available. As a temporary workaround, avoid using the `javascript:` URL scheme for package icons to minimize the risk of exploitation.