The vulnerability is caused due to an error when handling drag and drop events and can be exploited to bypass the same origin policy and e.g. execute script code in the context of another domain. The vulnerability is confirmed in version 9.0.1. Other versions may also be affected. Solution Do not perform suspicious actions on untrusted web sites. Original Advisory: http://soroush.secproject.com/blog/2011/12/drag-and-drop-xss-in-firefox-by-html5-cross-domain-in-frames/
Please do not add us to a security bug, if upstream has not made a release with a fix or a patch is unavailable. This creates undesired noise in our in boxes.
(In reply to comment #1) > Please do not add us to a security bug, if upstream has not made a release with > a fix or a patch is unavailable. This creates undesired noise in our in boxes. NACK. Maintainers are CC'd onto bugs when filed/wrangled, as per our procedures [1]. Making exceptions for single teams is not acceptable. [1] http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3
(In reply to Alex Legler from comment #2) > (In reply to comment #1) > > Please do not add us to a security bug, if upstream has not made a release with > > a fix or a patch is unavailable. This creates undesired noise in our in boxes. > > NACK. Maintainers are CC'd onto bugs when filed/wrangled, as per our > procedures [1]. Making exceptions for single teams is not acceptable. > > [1] http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3 This issue has been fixed for a while, it appears it been forgotten about by the security team, please close bug.
Okay then. 9.0.1 is far too old to need a GLSA, closing.
