CVE-2012-1944

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions 4.x through 12.0 Firefox ESR versions 10.x before 10.0.5 Thunderbird versions 5.0 through 12.0 Thunderbird ESR versions 10.x before 10.0.5 SeaMonkey versions prior to 2.10

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document because the Content Security Policy (CSP) implementation does not block inline event handlers. This makes it easier for attackers to exploit the vulnerability. Additionally, the vulnerability can be triggered if the security policy is not properly configured to block pop-up windows, allowing an attacker to bypass cross-site scripting protection.

Recommendations For Mozilla Firefox versions 4.x through 12.0, update to a version after 12.0 or apply the necessary security patches. For Firefox ESR versions 10.x before 10.0.5, update to version 10.0.5 or later. For Thunderbird versions 5.0 through 12.0, update to a version after 12.0 or apply the necessary security patches. For Thunderbird ESR versions 10.x before 10.0.5, update to version 10.0.5 or later. For SeaMonkey versions prior to 2.10, update to version 2.10 or later. As a temporary workaround, consider disabling inline event handlers in the Content Security Policy (CSP) until a patch is available. Restrict access to potentially vulnerable HTML documents to minimize the risk of exploitation.