Fluid Attacks Database

Description

The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel6	firefox	<0:3.6.24-3.el6_1	0:3.6.24-3.el6_1
rpm rhel6	thunderbird	<0:3.1.16-2.el6_1	0:3.1.16-2.el6_1
rpm rhel5	xulrunner	<0:1.9.2.24-2.el5_7	0:1.9.2.24-2.el5_7
rpm rhel5	firefox	<0:3.6.24-3.el5_7	0:3.6.24-3.el5_7
rpm rhel6	xulrunner	<0:1.9.2.24-2.el6_1.1	0:1.9.2.24-2.el6_1.1

Aliases

1. CVE-2011-36472. NVD-2011-36473. OSV-2011-3647

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.