CVE-2007-1084

NameCVE-2007-1084
DescriptionMozilla Firefox 2.0.0.1 and earlier does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs556268, 556270, 556271, 556272

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
conkeror (PTS)jessie1.0~~pre-1+git141025-1+deb8u2fixed
stretch1.0.3+git170123-1fixed
epiphany-browser (PTS)jessie3.14.1-1vulnerable
stretch3.22.7-1vulnerable
buster (security), buster, buster (lts)3.32.1.2-3~deb10u3vulnerable
bullseye (security), bullseye3.38.2-1+deb11u3vulnerable
bookworm43.1-1vulnerable
trixie47.0-1vulnerable
sid47.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
conkerorsource(unstable)(not affected)
epiphany-browsersource(unstable)(unfixed)unimportant556272
galeonsource(unstable)2.0.7-2unimportant556270
iceapesource(unstable)(unfixed)unimportant
iceweaselsource(unstable)(unfixed)unimportant556268
kazehakasesourcelenny0.5.4-2lenny1
kazehakasesource(unstable)0.5.8-2556271
webkitsource(unstable)(not affected)

Notes

only epiphany-gecko backend affected
- conkeror <not-affected> (doesn't support bookmarks)
- webkit <not-affected> (doesn't support javascript embedded in bookmarks)

Search for package or bug name: Reporting problems