Christian Biesinger

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6.18 Mozilla Firefox versions 4.x through 4.0.1 Thunderbird versions prior to 3.1.11 **Description** A CRLF injection issue exists in the `nsCookieService::SetCookieStringInternal` function, allowing remote attackers to bypass access restrictions. This occurs when a string containing a ` ` (newline) character is not properly handled in a JavaScript "document.cookie =" expression. **Recommendations** For Mozilla Firefox versions prior to 3.6.18, update to version 3.6.18 or later. For Mozilla Firefox versions 4.x through 4.0.1, update to version 4.0.2 or later. For Thunderbird versions prior to 3.1.11, update to version 3.1.11 or later.