关键信息 漏洞概述 漏洞名称: Cross-site information disclosure via modal calls 公告日期: October 19, 2010 报告人: Eduardo Vela Nava 影响 危险等级: High 受影响产品: - Firefox - SeaMonkey - Thunderbird 修复版本 Firefox: 3.5.14, 3.6.11 SeaMonkey: 2.0.9 Thunderbird: 3.0.9, 3.1.5 漏洞描述 Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site. 参考链接 Bugzilla Report CVE-2010-3178