Mozilla · Firefox · CVE-2012-0458
**Name of the Vulnerable Software and Affected Versions**
Mozilla Firefox versions 4.x through 10.0
Mozilla Firefox version 3.6.28 and earlier
Firefox ESR versions 10.x through 10.0.2
Thunderbird versions 5.0 through 10.0
Thunderbird version 3.1.20 and earlier
Thunderbird ESR versions 10.x through 10.0.2
SeaMonkey version 2.8 and earlier
**Description**
The issue allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a `javascript:` URL that is later interpreted in the `about:sessionrestore` context. This is possible because the software does not properly restrict setting the home page through the dragging of a URL to the home button.
**Recommendations**
For Mozilla Firefox versions 4.x through 10.0, update to a version later than 10.0 to resolve the issue.
For Mozilla Firefox version 3.6.28 and earlier, update to a version later than 3.6.28 to resolve the issue.
For Firefox ESR versions 10.x through 10.0.2, update to version 10.0.3 or later to resolve the issue.
For Thunderbird versions 5.0 through 10.0, update to a version later than 10.0 to resolve the issue.
For Thunderbird version 3.1.20 and earlier, update to a version later than 3.1.20 to resolve the issue.
For Thunderbird ESR versions 10.x through 10.0.2, update to version 10.0.3 or later to resolve the issue.
For SeaMonkey version 2.8 and earlier, update to a version later than 2.8 to resolve the issue.