Security researcher Collin Jackson reported a series of vulnerabilities which allow JavaScript to be injected into signed JARs and executed under the context of the JAR's signer. This could allow an attacker to run JavaScript in a victim's browser with the privileges of a different website, provided the attacker possesses a JAR signed by the other website. One vulnerability that Jackson reported allowed JavaScript to be injected into documents inside a signed JAR file. An additional vulnerability reported by Jackson exploited signed JAR files which use relative URLs to JavaScript files. An attacker could use this vulnerability to trick the browser into treating an attacker-controlled JavaScript file as the file the signed JAR intended to reference.
This is now public: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15
devhelp-0.16.1-8.fc8, gtkmozembedmm-1.4.2.cvs20060817-21.fc8, yelp-2.20.0-10.fc8, gnome-web-photo-0.3-11.fc8, kazehakase-0.5.4-2.fc8.2, blam-1.8.3-16.fc8, epiphany-2.20.3-5.fc8, liferea-1.4.15-2.fc8, epiphany-extensions-2.20.1-8.fc8, galeon-2.0.4-3.fc8.3, openvrml-0.17.6-3.fc8, chmsee-1.0.0-2.31.fc8, ruby-gnome2-0.17.0-0.2.rc1.fc8, firefox-2.0.0.15-1.fc8, gnome-python2-extras-2.19.1-15.fc8, Miro-1.2.3-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.10-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.10-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This was addressed via: Red Hat Enterprise Linux version 2.1 (seamonkey) RHSA-2008:0547 Red Hat Enterprise Linux version 3 (seamonkey) RHSA-2008:0547 Red Hat Enterprise Linux version 4 (seamonkey) RHSA-2008:0547 Red Hat Enterprise Linux version 4 (firefox) RHSA-2008:0549 Red Hat Enterprise Linux version 5 (firefox) RHSA-2008:0569 Red Hat Enterprise Linux version 4 (thunderbird) RHSA-2008:0616 Red Hat Enterprise Linux Desktop version 5 (thunderbird) RHSA-2008:0616 RHEL Optional Productivity Applications version 5 (thunderbird) RHSA-2008:0616