CVE-2009-2472
Description
Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mozilla Firefox before 3.0.12 fails to wrap cross-origin windows in some cases, allowing Same Origin Policy bypass via crafted documents.
Vulnerability
Mozilla Firefox before version 3.0.12 does not always use XPCCrossOriginWrapper (XOW) when constructing objects, specifically when accessing a numeric property of a window that is a subframe ([2]). The error occurs in nsWindowSH::GetProperty, which fails to call nsXPConnect::GetXOWForObject for numeric window properties ([2]). This issue is also triggered when accessing a window via this, __parent__, or valueOf.call(), leading to insufficient XOW wrapping ([4]). These flaws allow bypass of the Same Origin Policy (SOP) and are related to a 'cross origin wrapper bypass' ([1], [2], [4]).
Exploitation
An attacker can exploit this vulnerability by hosting a crafted HTML document that references a cross-origin subframe using a numeric property, or by using properties like this or valueOf.call() to access another window without proper XOW wrapping ([2], [4]). The attacker does not require authentication beyond delivering the malicious document to a victim user; the user simply needs to visit the attacker's page in a vulnerable Firefox version. Successful exploitation requires no special privileges or user interaction beyond normal browsing ([1]).
Impact
A successful attack allows the attacker to bypass the Same Origin Policy, enabling cross-site scripting (XSS) attacks ([1]). The attacker can read or modify data in other origins, such as extracting cookies, page content, or performing actions on behalf of the user on other sites ([1]). The impact is high as it compromises the confidentiality and integrity of user data across different web origins ([1], [4]).
Mitigation
The vulnerability is fixed in Mozilla Firefox 3.0.12 and later versions ([1]). Users should upgrade to Firefox 3.0.12 or higher. Red Hat Enterprise Linux 3, 4, and 5 received updates via RHSA-2009:1162 on 2009-07-22 ([1]). No workarounds are documented for users unable to upgrade. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <3.0.12
- (no CPE)range: <3.0.12
cpe:2.3:a:suse:linux_enterprise_debuginfo:10:sp2:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:suse:linux_enterprise_debuginfo:10:sp2:*:*:*:*:*:*
- cpe:2.3:a:suse:linux_enterprise_debuginfo:11:-:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp2:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:suse:linux_enterprise_desktop:10:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:11:-:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp2:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:suse:linux_enterprise_server:10:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:-:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- www.mozilla.org/security/announce/2009/mfsa2009-40.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/35758nvdPatchThird Party AdvisoryVDB Entry
- www.vupen.com/english/advisories/2009/1972nvdPatchThird Party Advisory
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingPatchVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingPatchVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.htmlnvdMailing ListThird Party Advisory
- secunia.com/advisories/35914nvdThird Party Advisory
- secunia.com/advisories/35944nvdThird Party Advisory
- secunia.com/advisories/36005nvdThird Party Advisory
- secunia.com/advisories/36145nvdThird Party Advisory
- www.vupen.com/english/advisories/2009/2152nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9497nvdThird Party Advisory
- www.redhat.com/archives/fedora-package-announce/2009-July/msg01032.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2009-1162.htmlnvdBroken Link
- sunsolve.sun.com/search/document.donvdBroken Link
- sunsolve.sun.com/search/document.donvdBroken Link
News mentions
0No linked articles in our index yet.