CVE-2009-3010
Description
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mozilla Firefox, SeaMonkey, and Mozilla Suite fail to block data: URIs in Refresh headers, enabling XSS attacks via arbitrary JavaScript execution.
Vulnerability
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses. This allows an attacker to inject a Refresh header containing JavaScript sequences in a data:text/html URI, or to enter such a URI when specifying the content of a Refresh header. The affected versions fail to sanitize data: URIs in this context, bypassing protections previously added in Firefox 3.0.9 for javascript: URIs [1][2].
Exploitation
An attacker needs only to control an HTTP response header (e.g., via a parameter injectable into a redirect script). By crafting a Refresh header with a data:text/html URI that contains arbitrary JavaScript, the browser will navigate to that data URI and execute the script. For example, a request such as http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b can cause the server to return a Refresh: 0; URL=data:text/html;base64,... header, leading to script execution. The attack works without requiring any special user interaction beyond visiting the crafted page or link [1][2].
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of the affected browser session. This can lead to theft of cookies, session tokens, or other sensitive data, and can enable further attacks such as UI redressing or phishing. In some product versions, the JavaScript executes outside the context of the HTTP site, meaning the attacker may not have cross-origin access to the site's DOM, but can still perform attacks like cookie theft and phishing [1].
Mitigation
Mozilla released Firefox 3.0.14 and later versions to address this issue by properly blocking data: URIs in Refresh headers. Users should upgrade to Firefox 3.0.14 or later, SeaMonkey 1.1.18 or later, or the latest versions of Mozilla Suite (where available). No other workaround is available besides upgrading to the fixed version [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=3.0.13
- cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.6:a1_prerelease:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.7:a1_prerelease:*:*:*:*:*:*
- (no CPE)range: <=3.0.13, 3.5, 3.6a1pre, 3.7a1pre
cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*range: <=1.7.12
- (no CPE)range: <=1.7.x
cpe:2.3:a:mozilla:seamonkey:1.1.17:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:seamonkey:1.1.17:*:*:*:*:*:*:*
- (no CPE)range: =1.1.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- websecurity.com.ua/3315/nvdExploit
- websecurity.com.ua/3386/nvdExploit
- exchange.xforce.ibmcloud.com/vulnerabilities/52999nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.