You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.3) > MFSA 2005-37
Mozilla Foundation Security Advisory 2005-37
Title: Code execution through javascript: favicons
Severity: Critical
Reporter: Michael Krax
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.3
Mozilla Suite 1.7.7
Description
Firefox and the Mozilla Suite support custom "favicons" through the <LINK rel="icon"> tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.
Workaround
Disable javascript.