Mozilla Foundation Security Advisory 2005-46
Title: XBL scripts ran even when Javascript disabled
Severity: Low
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, Mozilla Suite
Fixed in: Firefox 1.0.5
Thunderbird 1.0.5
Mozilla Suite 1.7.9
Description
Scripts in XBL controls from web content continued to be run even when
Javascript was disabled. By itself this causes no harm, but it could be
combined with most script-based exploits to attack people running
vulnerable versions who thought disabling javascript would protect them.
In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by
default for protection against denial-of-service attacks and worms; this
vulnerability could be used to bypass that protection.
Workaround
Upgrade to a fixed version
References
https://bugzilla.mozilla.org/show_bug.cgi?id=292591
https://bugzilla.mozilla.org/show_bug.cgi?id=292589