Closed Bug 382700 Opened 17 years ago Closed 17 years ago

Unsafe DOM mutation events in object frame.

Categories

(Core :: DOM: Events, defect)

1.8 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: vladimir.sukhoy, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:dupe 382681] keep private until 355548 is fixed)

Attachments

(1 file)

Using DOM mutation events it is possible to crash the browser or make the UI unresponsive.
See also bug 382568, bug 382681, bug 382700, bug 355548;
Here it is nsObjectFrame::CreateDefaultFrames that is vulnerable (does child manipulations which fire events and the JavaScript being invoked in the middle of frame code may do some damage).
Blocks: 382754
No longer blocks: 382754
Fixed by the patch in bug 382681.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dupe 382681]
No hang or crash using Thunderbird version 1.5.0.13 (20070809) with JS enabled.  Replacing fixed1.5.0.13 keyword with verified1.5.0.13.
Flags: in-testsuite?
Whiteboard: [sg:dupe 382681] → [sg:dupe 382681] keep private until 355548 is fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.