Mozilla security researcher moz_bug_r_a4 reports that by using an
appropriately wrapped object it was possible to bypass the fix for MFSA
2007-19. Prior to Firefox 3.6 this gives an attacker the ability to perform
cross-site scripting attacks against arbitrary sites as in the original
MFSA 2007-19 attack. Due to unrelated changes in the browser engine used by
Firefox 3.6, attacks in that version are limited to capturing keystroke
events from a cross-origin frame or window rather than full DOM access.
Those events might be sufficient to illicitly obtain passwords or other
sensitive information entered into web forms.
This was fixed in upstream Firefox 3.0.18, and via RHSA-2010:0112 in Red Hat
Enterprise Linux 4 and 5.
A patch was applied to correct this in Red Hat Enterprise Linux 3 and 4
(Seamonkey) via RHSA-2010:0113:
A patch was applied to correct this in Red Hat Enterprise Linux 4 (Thunderbird)
A patch was applied to correct this in Red Hat Enterprise Linux 5 (Thunderbird)