CVE-2009-3012
Description
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of the HTTP site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mozilla Firefox fails to block data: URIs in HTTP Location headers, enabling cross-site scripting via injected JavaScript in data:text/html URIs.
Vulnerability
Mozilla Firefox versions 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre do not properly block data: URIs in HTTP Location headers when performing redirects. This allows an attacker to inject arbitrary JavaScript by crafting a Location header that points to a data:text/html URI containing malicious script [1], [2]. The vulnerability requires the server or a client-side redirect to include a Location header with a data: URI.
Exploitation
An attacker can exploit this by finding a website that uses a redirector (e.g., through a parameter in a URL that becomes part of the Location header) and injecting a data:text/html URI with JavaScript payloads. For example, when a victim visits a crafted link like http://site/redirect?url=data:text/html,, the server returns a Location header with the data: URI, and Firefox executes the script in the context of the data: origin [1]. No user interaction beyond clicking the link is required.
Impact
Successful exploitation allows arbitrary JavaScript execution, but notably the script runs in the context of the data: URI origin, not the originating website. This limits attacks like cookie theft from the target site, but still enables phishing, content spoofing, and other XSS attacks that do not rely on same-origin access [1]. The attacker can execute any JavaScript code, perform actions within the data: page, and potentially escalate through combined vulnerabilities.
Mitigation
No official fix is mentioned in the available references. Users should upgrade to a later version of Firefox (e.g., 3.5.x later than 3.5.4 or 3.6.x) where this issue is patched. Until then, avoid visiting untrusted links that trigger redirects, or disable JavaScript for data: URIs if possible.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=3.0.13
- cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.6:a1_pre:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.7:a1_pre:*:*:*:*:*:*
- (no CPE)range: <=3.0.13, 3.5, 3.6a1pre, 3.7a1pre
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- websecurity.com.ua/3323/nvdExploit
- websecurity.com.ua/3386/nvdExploit
News mentions
0No linked articles in our index yet.