CVE-2008-4066
Description
Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav�ascript" sequence, aka "HTML escaped low surrogates bug."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mozilla Firefox before 2.0.0.17 allows XSS bypass via HTML-escaped low surrogate characters that the HTML parser ignores.
Vulnerability
This vulnerability resides in the cross-site scripting (XSS) protection mechanism of Mozilla Firefox versions 2.0.0.14 through 2.0.0.16. The HTML parser ignores low surrogate characters when they are HTML-escaped, allowing attackers to craft sequences such as "jav�ascript" that bypass the filter but are still interpreted as valid script by the browser. [4]
Exploitation
An attacker can exploit this by embedding HTML-escaped low surrogate characters into a malicious URI or web page to conceal script keywords from the XSS filter. The victim must visit the crafted page or click a link; no additional authentication or privileges are required.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session on the target domain, potentially leading to data theft, session hijacking, or further malicious actions.
Mitigation
Mozilla fixed this issue in Firefox 2.0.0.17, released on September 23, 2008. Users should upgrade to Firefox 2.0.0.17 or later. The Slackware security advisory also confirms the fix in Thunderbird 2.0.0.17, which shares the same underlying code. [4]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:*
- (no CPE)range: <2.0.0.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
44- blogs.technet.com/bluehat/archive/2008/08/14/targeted-fuzzing.aspxnvdExploit
- www.thespanner.co.uk/2008/06/30/javascript-protocol-fuzz-results/nvdExploit
- secunia.com/advisories/31984nvdVendor Advisory
- secunia.com/advisories/31985nvdVendor Advisory
- secunia.com/advisories/32007nvdVendor Advisory
- secunia.com/advisories/32010nvdVendor Advisory
- secunia.com/advisories/32012nvdVendor Advisory
- secunia.com/advisories/32025nvdVendor Advisory
- secunia.com/advisories/32042nvdVendor Advisory
- secunia.com/advisories/32044nvdVendor Advisory
- secunia.com/advisories/32082nvdVendor Advisory
- secunia.com/advisories/32092nvdVendor Advisory
- secunia.com/advisories/32144nvdVendor Advisory
- secunia.com/advisories/32845nvdVendor Advisory
- secunia.com/advisories/34501nvdVendor Advisory
- www.redhat.com/support/errata/RHSA-2008-0882.htmlnvdVendor Advisory
- www.redhat.com/support/errata/RHSA-2008-0908.htmlnvdVendor Advisory
- www.vupen.com/english/advisories/2008/2661nvdVendor Advisory
- www.vupen.com/english/advisories/2009/0977nvdVendor Advisory
- www.redhat.com/archives/fedora-package-announce/2008-September/msg01384.htmlnvdVendor Advisory
- download.novell.com/Downloadnvd
- jvn.jp/en/jp/JVN96950482/index.htmlnvd
- jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-000058.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.htmlnvd
- secunia.com/advisories/32185nvd
- secunia.com/advisories/32196nvd
- slackware.com/security/viewer.phpnvd
- slackware.com/security/viewer.phpnvd
- slackware.com/security/viewer.phpnvd
- sunsolve.sun.com/search/document.donvd
- www.debian.org/security/2008/dsa-1649nvd
- www.debian.org/security/2008/dsa-1669nvd
- www.mandriva.com/security/advisoriesnvd
- www.mandriva.com/security/advisoriesnvd
- www.mozilla.org/security/announce/2008/mfsa2008-43.htmlnvd
- www.securityfocus.com/bid/31346nvd
- www.securitytracker.com/idnvd
- www.ubuntu.com/usn/usn-645-1nvd
- www.ubuntu.com/usn/usn-645-2nvd
- www.ubuntu.com/usn/usn-647-1nvd
- bugzilla.mozilla.org/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/45358nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8880nvd
- www.redhat.com/archives/fedora-package-announce/2008-September/msg01403.htmlnvd
News mentions
0No linked articles in our index yet.