You are here: Known Vulnerabilities in Mozilla Products (Firefox 126.96.36.199) > MFSA 2006-56
Mozilla Foundation Security Advisory 2006-56
Title: chrome: scheme loading remote content
Announced: July 25, 2006
Reporter: Benjamin Smedberg (Mozilla)
Products: Firefox, SeaMonkey
Fixed in: Firefox 188.8.131.52
Benjamin Smedberg discovered that chrome URL's could be made to reference remote files, which would run scripts with full privilege. There is no known way for web content to successfully load a chrome: url, but if a user could be convinced to do so manually (perhaps by copying a link and pasting it into the location bar) this could be exploited.
Although Thunderbird shares the browser engine with Firefox it supports no way for a mail message to load a chrome: url or to cause one to be loaded in the browser. It is thus not vulnerable to this flaw. The underlying Thunderbird code has been fixed in 184.108.40.206
Do not copy or drag links from untrusted web content or emails. If you must, make sure it is a normal http:, https:, or ftp: link rather than chrome: or another uncommon type.
Exploit details withheld during the active upgrade period