CVE-2010-0170
Description
Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected window.location protection mechanism, which might allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors that are specific to each affected plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Firefox 3.6 before 3.6.2 exposes window.location to plugins, allowing same-origin policy bypass and XSS attacks.
Vulnerability
In Firefox 3.6, the window.location object was made a normal overridable JavaScript object as part of new same-origin policy enforcement mechanisms. This object is used by some plugins to determine the page origin for access restrictions. A malicious page can override window.location to fool a plugin into granting access to data on another site or the local file system. This flaw affects Firefox 3.6 before version 3.6.2 and does not affect earlier versions or other Mozilla products like Thunderbird or SeaMonkey [1][2].
Exploitation
An attacker must host a malicious web page that overrides the window.location object. When a plugin (e.g., Flash) queries this object to enforce its own same-origin checks, it receives a fake origin. The attacker can then craft plugin-specific vectors to bypass the Same Origin Policy and perform cross-site scripting (XSS) attacks [1][2].
Impact
Successful exploitation allows an attacker to bypass the Same Origin Policy, potentially leading to cross-site scripting (XSS) attacks or unauthorized access to data on other sites or the local file system, depending on the plugin's capabilities [1].
Mitigation
The vulnerability is fixed in Firefox 3.6.2, released on March 23, 2010. Users should upgrade to Firefox 3.6.2 or later. No workarounds are documented in the available references [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*
- (no CPE)range: <3.6.2
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 50.1.0-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.mozilla.org/security/announce/2010/mfsa2010-10.htmlnvdVendor Advisory
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/38918nvd
- www.securityfocus.com/bid/38919nvd
- www.vupen.com/english/advisories/2010/0692nvd
- bugzilla.mozilla.org/show_bug.cginvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8602nvd
News mentions
0No linked articles in our index yet.