Key Information Vulnerability ID: Mozilla Foundation Security Advisory 2009-18 Vulnerability Type: XSS (Cross-Site Scripting) Hazard using third-party stylesheets and XBL bindings Disclosure Date: April 21, 2009 Reporter: Cefn Hoile Severity Level: Low Affected Product: Firefox Fixed Version: Firefox 3.0.9 Description Web developers who enable users to embed third-party stylesheets on their websites are vulnerable to script injection attacks via XBL bindings. This risk had already been identified, but some developers were not fully aware of it. To mitigate this, Mozilla has implemented a policy requiring that XBL bindings must originate from the same source as the document to which they are applied. Websites using Thunderbird, which shares its browser engine with Firefox, could be at risk if JavaScript is enabled in emails. This is not a standard configuration, so we strongly recommend against enabling JavaScript in emails. References Bugzilla Link: https://bugzilla.mozilla.org/show_bug.cgi?id=481558 CVE Identifier: CVE-2009-1308