|Description||Mozilla Firefox 1.5.x before 220.127.116.11 and 2.x before 18.104.22.168, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane. NOTE: this issue can be leveraged for phishing and other attacks.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|References||DSA-1300-1, DSA-1306-1, DSA-1308-1, DTSA-45-1, DTSA-47-1, DTSA-51-1|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|iceweasel (PTS)||wheezy (security), wheezy||38.8.0esr-1~deb7u1||fixed|
|jessie (security), jessie||38.8.0esr-1~deb8u1||fixed|
|xulrunner (PTS)||wheezy (security), wheezy||24.8.1esr-2~deb7u1||fixed|
The information below is based on the following data on fixed versions.
[sarge] - mozilla <no-dsa> (Mozilla products from Sarge no longer supported)