Security researcher Wladimir Palant reported that cookies marked HTTPOnly were readable by JavaScript via the XMLHttpRequest.getResponseHeader API. This vulnerability bypasses the security mechanism provided by the HTTPOnly flag which intends to restrict JavaScript access to document.cookie.
Public now via MFSA 2009-05: http://www.mozilla.org/security/announce/2009/mfsa2009-05.html
xulrunner-1.9.0.6-1.fc10, firefox-3.0.6-1.fc10, epiphany-extensions-2.24.0-4.fc10, epiphany-2.24.3-2.fc10, blam-1.8.5-6.fc10, devhelp-0.22-3.fc10, evolution-rss-0.1.2-4.fc10, galeon-2.0.7-5.fc10, gecko-sharp2-0.13-4.fc10, gnome-python2-extras-2.19.1-26.fc10, gnome-web-photo-0.3-14.fc10, google-gadgets-0.10.5-2.fc10, kazehakase-0.5.6-1.fc10.3, Miro-1.2.8-2.fc10, mozvoikko-0.9.5-6.fc10, mugshot-1.2.2-5.fc10, pcmanx-gtk2-0.3.8-5.fc10, ruby-gnome2-0.18.1-3.fc10, yelp-2.24.0-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.0.6-1.fc9, firefox-3.0.6-1.fc9, epiphany-extensions-2.22.1-7.fc9, epiphany-2.22.2-7.fc9, blam-1.8.5-5.fc9.1, cairo-dock-1.6.3.1-1.fc9.3, chmsee-1.0.1-8.fc9, devhelp-0.19.1-8.fc9, evolution-rss-0.1.0-6.fc9, galeon-2.0.7-5.fc9, gnome-python2-extras-2.19.1-23.fc9, gnome-web-photo-0.3-17.fc9, google-gadgets-0.10.5-2.fc9, gtkmozembedmm-1.4.2.cvs20060817-25.fc9, kazehakase-0.5.6-1.fc9.3, Miro-1.2.7-4.fc9, mozvoikko-0.9.5-6.fc9, mugshot-1.2.2-5.fc9, ruby-gnome2-0.17.0-5.fc9, totem-2.23.2-10.fc9, yelp-2.22.1-8.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.15-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.15-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Linux Enterprise 4 Red Hat Linux Enterprise 4.7.z Red Hat Linux Enterprise 5 Red Hat Linux Enterprise 5.3.z Via RHSA-2009:0256 available at https://rhn.redhat.com/errata/RHSA-2009-0256.html
This issue has been addressed in following products: Red Hat Linux Enterprise 2.1 Red Hat Linux Enterprise 3 Red Hat Linux Enterprise 4 Red Hat Linux Enterprise 4.7.z Via RHSA-2009:0257 available at https://rhn.redhat.com/errata/RHSA-2009-0257.html