You are here: Known Vulnerabilities in Mozilla Products (Firefox 220.127.116.11) > MFSA 2006-43
Mozilla Foundation Security Advisory 2006-43
Title: Privilege escalation using addSelectionListener
Date: June 1, 2006
Products: Firefox, SeaMonkey
Fixed in: Firefox 18.104.22.168
Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox in MFSA 2006-31 and content-defined DOM setters in MFSA 2006-37 moz_bug_r_a4 figured a way to leverage the fact that the notifications were created in a privileged context into arbitrary code execution.