Bug 546724 - (CVE-2009-3986) CVE-2009-3986 Mozilla Chrome privilege escalation via window.opener
CVE-2009-3986 Mozilla Chrome privilege escalation via window.opener
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2009-12-11 14:35 EST by Josh Bressers
Modified: 2013-04-12 17:32 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-12 17:32:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1674 normal SHIPPED_LIVE Critical: firefox security update 2009-12-16 00:03:54 EST

  None (edit)
Description Josh Bressers 2009-12-11 14:35:46 EST
Security researcher David James reported that a content window which is opened by a chrome window retains a reference to the chrome window via the window.opener property. Via this reference, the newly opened content window can access functions inside the chrome window, such as eval, and use these functions to perform a privilege escalation and run arbitrary JavaScript code with chrome privileges. Because an attacker would need to find a browser dialog which opens a chrome privileged window then navigate the new window to an attacker-controlled page in order to leverage this vulnerability, the severity of this issue was determined to be moderate.
Comment 1 errata-xmlrpc 2009-12-16 00:04:10 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1674 https://rhn.redhat.com/errata/RHSA-2009-1674.html
Comment 2 Fedora Update System 2009-12-17 23:31:47 EST
firefox-3.5.6-1.fc11, epiphany-extensions-2.26.1-9.fc11, yelp-2.26.0-10.fc11, ruby-gnome2-0.19.3-5.fc11, perl-Gtk2-MozEmbed-0.08-6.fc11.8, mozvoikko-0.9.7-0.10.rc1.fc11, monodevelop-2.0-8.fc11, Miro-2.5.2-7.fc11, kazehakase-0.5.8-4.fc11, google-gadgets-0.11.1-4.fc11, hulahop-0.4.9-11.fc11, gnome-web-photo-0.7-9.fc11, galeon-2.0.7-19.fc11, gnome-python2-extras-2.25.3-10.fc11, evolution-rss-0.1.4-9.fc11, blam-1.8.5-17.fc11, pcmanx-gtk2-0.3.8-11.fc11, epiphany-2.26.3-7.fc11, chmsee-1.0.1-14.fc11, xulrunner- has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2009-12-17 23:37:37 EST
gnome-python2-extras-2.25.3-14.fc12, mozvoikko-1.0-7.fc12, gnome-web-photo-0.9-4.fc12, galeon-2.0.7-19.fc12, Miro-2.5.2-7.fc12, firefox-3.5.6-1.fc12, perl-Gtk2-MozEmbed-0.08-6.fc12.10, blam-1.8.5-21.fc12, xulrunner- has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.