CVE-2007-1084

NameCVE-2007-1084
DescriptionMozilla Firefox 2.0.0.1 and earlier does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs556268, 556270, 556271, 556272

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
epiphany-browser (PTS)bullseye (security), bullseye3.38.2-1+deb11u3vulnerable
bookworm43.1-1vulnerable
sid, trixie47.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
conkerorsource(unstable)(not affected)
epiphany-browsersource(unstable)(unfixed)unimportant556272
galeonsource(unstable)2.0.7-2unimportant556270
iceapesource(unstable)(unfixed)unimportant
iceweaselsource(unstable)(unfixed)unimportant556268
kazehakasesourcelenny0.5.4-2lenny1
kazehakasesource(unstable)0.5.8-2556271
webkitsource(unstable)(not affected)

Notes

only epiphany-gecko backend affected
- conkeror <not-affected> (doesn't support bookmarks)
- webkit <not-affected> (doesn't support javascript embedded in bookmarks)

Search for package or bug name: Reporting problems