U115577

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 1.0.5 Description: The issue allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the search target, then injecting script into other pages via a data: URL. Recommendations: For Firefox versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 1.0.3 **Description** The issue is related to "missing security checks" that allow remote attackers to inject arbitrary Javascript into privileged pages. This is achieved by using the search target of the Firefox sidebar. **Recommendations** For versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Firefox sidebar or disabling Javascript execution in privileged pages until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 1.0.2 **Description** The issue allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 1.0.1 Mozilla versions prior to 1.7.6 **Description** The issue allows remote attackers to spoof the SSL secure site lock icon. This can occur in three scenarios: (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site. **Recommendations** For Firefox versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. For Mozilla versions prior to 1.7.6, update to version 1.7.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 1.0 Mozilla versions prior to 1.7.5 **Description** The issue allows the secure site lock icon to be displayed when a view-source: URL references a secure SSL site while an insecure page is being loaded. This could facilitate phishing attacks by misleading users about the security of the page they are viewing. **Recommendations** For Firefox versions prior to 1.0, update to version 1.0 or later to resolve the issue. For Mozilla versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue.