CVE-2005-1937
Description
A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
- (no CPE)range: = 1.0.3
cpe:2.3:a:mozilla:mozilla:1.7.7:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:mozilla:1.7.7:*:*:*:*:*:*:*
- (no CPE)range: = 1.7.7
Patches
Vulnerability mechanics
Root cause
"A regression from bug 289204 caused the JS context to be pushed onto the stack too early, allowing `IsCapabilityEnabled` to return `PR_TRUE` and bypass the origin check during targeted frame loads."
Attack vector
A remote attacker crafts a page that attempts a targeted load into a named frame of another site. Because the JS context is pushed onto the stack too early (due to the bug 289204 change), `nsDocShell::ValidateOrigin` obtains a non-null principal and `IsCapabilityEnabled` returns `PR_TRUE` when no stack frame exists, granting `UniversalBrowserWrite` permission. This bypasses the origin check and allows the attacker to inject arbitrary JavaScript into the victim site's frameset [ref_id=1].
Affected code
The regression was introduced by bug 289204 and affects `nsGlobalWindow::OpenInternal()` and `nsWindowWatcher::OpenWindowJS()` in `mozilla/dom/src/base/nsGlobalWindow.cpp` and `mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp`. The fix moves the JS context pushing code from `nsGlobalWindow::OpenInternal()` into the windowwatcher code that does the actual opening, delaying the push until after the search for an existing named window completes [ref_id=1].
What the fix does
The patch moves the JS context pushing code from `nsGlobalWindow::OpenInternal()` into the windowwatcher code that does the actual opening. By delaying the push of the callee window's context onto the stack until after the search for an existing named window completes, `IsCapabilityEnabled` no longer sees a JSContext during the origin validation step and correctly returns `PR_FALSE`, restoring the intended security check [ref_id=1].
Preconditions
- inputThe attacker must host a web page that attempts a targeted load into a named frame of another site.
- configThe victim must use Firefox 1.0.3 or Mozilla 1.7.7 (the vulnerable versions).
- configThe victim's browser must not have the workaround pref `browser.frame.validate_origin` set to true, and must not have an extension like TabMix that forces new windows into tabs.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- secunia.com/advisories/15601nvd
- secunia.com/multiple_browsers_frame_injection_vulnerability_test/nvd
- sunsolve.sun.com/search/document.donvd
- www.debian.org/security/2005/dsa-777nvd
- www.debian.org/security/2005/dsa-810nvd
- www.mozilla.org/security/announce/mfsa2005-51.htmlnvd
- www.novell.com/linux/security/advisories/2005_18_sr.htmlnvd
- www.novell.com/linux/security/advisories/2005_45_mozilla.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-586.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-587.htmlnvd
- www.securityfocus.com/bid/14242nvd
- www.vupen.com/english/advisories/2005/1075nvd
- bugzilla.mozilla.org/show_bug.cginvd
- bugzilla.redhat.com/bugzilla/show_bug.cginvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100007nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10633nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A637nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A759nvd
News mentions
0No linked articles in our index yet.