CVE-2009-0354
Description
Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-domain vulnerability in Firefox 3.x before 3.0.6 allows bypass of Same Origin Policy via a chrome XBL method and window.eval, enabling XSS attacks.
Vulnerability
A cross-domain vulnerability exists in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6. The issue allows remote attackers to bypass the Same Origin Policy by using a chrome XBL method in conjunction with window.eval. Firefox 2 is not affected [3][4].
Exploitation
An attacker can craft a malicious web page that invokes a chrome XBL method and window.eval to execute arbitrary JavaScript in the context of another website, violating the same origin policy. No additional authentication or user interaction beyond visiting the page is required [3][4].
Impact
Successful exploitation enables cross-site scripting (XSS) attacks, allowing the attacker to access properties of an arbitrary window and potentially steal sensitive information from the target site. The impact is rated as high [4].
Mitigation
The vulnerability is fixed in Firefox 3.0.6, released on February 3, 2009. Users should update to this version or later. As a workaround, disabling JavaScript until the update is applied can mitigate the risk [1][4]. If no fix is available, follow the vendor's instructions.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:*
- (no CPE)range: <3.0.6
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 92.0-1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- www.mozilla.org/security/announce/2009/mfsa2009-02.htmlnvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.htmlnvd
- rhn.redhat.com/errata/RHSA-2009-0256.htmlnvd
- secunia.com/advisories/33799nvd
- secunia.com/advisories/33809nvd
- secunia.com/advisories/33831nvd
- secunia.com/advisories/33841nvd
- secunia.com/advisories/33846nvd
- secunia.com/advisories/33869nvd
- support.avaya.com/elmodocs2/security/ASA-2009-040.htmnvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/33598nvd
- www.securitytracker.com/idnvd
- www.ubuntu.com/usn/usn-717-1nvd
- www.vupen.com/english/advisories/2009/0313nvd
- bugzilla.mozilla.org/show_bug.cginvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9796nvd
- www.redhat.com/archives/fedora-package-announce/2009-February/msg00240.htmlnvd
News mentions
0No linked articles in our index yet.