CVE-2007-1084

NameCVE-2007-1084
DescriptionMozilla Firefox 2.0.0.1 and earlier does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs556268, 556270, 556271, 556272

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
conkeror (PTS)jessie1.0~~pre-1+git141025-1+deb8u2fixed
stretch1.0.3+git170123-1fixed
sid1.0.4-1fixed
epiphany-browser (PTS)jessie3.14.1-1vulnerable
stretch3.22.7-1vulnerable
buster, sid3.30.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
conkerorsource(unstable)(not affected)
epiphany-browsersource(unstable)(unfixed)unimportant556272
galeonsource(unstable)2.0.7-2unimportant556270
iceapesource(unstable)(unfixed)unimportant
iceweaselsource(unstable)(unfixed)unimportant556268
kazehakasesource(unstable)0.5.8-2medium556271
kazehakasesourcelenny0.5.4-2lenny1medium
webkitsource(unstable)(not affected)

Notes

only epiphany-gecko backend affected
- conkeror <not-affected> (doesn't support bookmarks)
- webkit <not-affected> (doesn't support javascript embedded in bookmarks)

Search for package or bug name: Reporting problems