CVE-2005-1476
Description
Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=1.0.3
- (no CPE)range: = 1.0.3
Patches
Vulnerability mechanics
Root cause
"InstallTrigger URLs are incorrectly granted chrome-level privileges, enabling cross-domain JavaScript execution via IFRAME navigation to javascript: URLs."
Attack vector
A remote attacker hosts a malicious page containing an IFRAME that navigates the browser to a previous javascript: URL. Because InstallTrigger URLs are granted chrome rights [ref_id=1], the attacker can execute arbitrary JavaScript in other domains. When combined with CVE-2005-1477, this cross-domain script execution can lead to arbitrary code execution on the victim's system.
Affected code
The vulnerability involves the InstallTrigger component in Firefox 1.0.3. The bug report [ref_id=1] summarizes the issue as "InstallTrigger URLs have chrome rights," indicating that URLs handled by the InstallTrigger feature were granted elevated chrome-level privileges, allowing cross-domain script execution.
What the fix does
The bug was resolved as a duplicate, and the fix was included in Firefox 1.0.4 (blocking-aviary1.0.4+ flag set) [ref_id=1]. The patch corrected the privilege handling for InstallTrigger URLs so they no longer receive chrome rights, preventing cross-domain script execution via javascript: URLs in IFRAMEs.
Preconditions
- configVictim uses Firefox 1.0.3
- networkAttacker hosts a malicious web page visited by the victim
- configBrowser must have 'Allow web sites to install software' enabled (workaround is to disable this setting)
Reproduction
A public PoC is referenced at http://greyhatsecurity.org/vulntests/ffrc.htm. The PoC (attached as Attachment #182909 in the bug report) demonstrates using an IFRAME to navigate to a previous javascript: URL, achieving cross-domain script execution [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- secunia.com/advisories/15292nvdPatchVendor Advisory
- greyhatsecurity.org/vulntests/ffrc.htmnvdExploit
- www.mozilla.org/security/announce/mfsa2005-42.htmlnvdVendor Advisory
- www.kb.cert.org/vuls/id/534710nvdUS Government Resource
- ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txtnvd
- greyhatsecurity.org/firefox.htmnvd
- marc.infonvd
- marc.infonvd
- securitytracker.com/idnvd
- www.redhat.com/support/errata/RHSA-2005-434.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-435.htmlnvd
- www.securityfocus.com/bid/13544nvd
- www.securityfocus.com/bid/15495nvd
- www.vupen.com/english/advisories/2005/0493nvd
- bugzilla.mozilla.org/show_bug.cginvd
- bugzilla.mozilla.org/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/20443nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100002nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10045nvd
News mentions
0No linked articles in our index yet.