Mozilla Foundation Security Advisory 2009-17
Title: Same-origin violations when Adobe Flash loaded via view-source: scheme
Impact: High
Announced: April 21, 2009
Reporter: Gregory Fleischer
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.9
Description
Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:
Additonally, Fleischer reported that the jar: protocol could be used to bypass restrictions normally preventing content loaded via view-source: from being rendered.
Thunderbird shares the browser engine with Firefox and could be vulnerable if plugins were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling plugins in mail.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=481342
* CVE-2009-1307