CVE-2012-0458

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions 4.x through 10.0 Mozilla Firefox version 3.6.28 and earlier Firefox ESR versions 10.x through 10.0.2 Thunderbird versions 5.0 through 10.0 Thunderbird version 3.1.20 and earlier Thunderbird ESR versions 10.x through 10.0.2 SeaMonkey version 2.8 and earlier

Description The issue allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a javascript: URL that is later interpreted in the about:sessionrestore context. This is possible because the software does not properly restrict setting the home page through the dragging of a URL to the home button.

Recommendations For Mozilla Firefox versions 4.x through 10.0, update to a version later than 10.0 to resolve the issue. For Mozilla Firefox version 3.6.28 and earlier, update to a version later than 3.6.28 to resolve the issue. For Firefox ESR versions 10.x through 10.0.2, update to version 10.0.3 or later to resolve the issue. For Thunderbird versions 5.0 through 10.0, update to a version later than 10.0 to resolve the issue. For Thunderbird version 3.1.20 and earlier, update to a version later than 3.1.20 to resolve the issue. For Thunderbird ESR versions 10.x through 10.0.2, update to version 10.0.3 or later to resolve the issue. For SeaMonkey version 2.8 and earlier, update to a version later than 2.8 to resolve the issue.