Firefox vulnerability affects Gmail

Secunia has reported a security issue in Mozilla Firefox which involves the way Firefox handles the "jar:" protocol.

This can be exploted by malicious people to conduct cross-site scripting attacks and the only way to avoid being compromised is not to follow non-trusted "jar:" links or browse non-trusted websites.

The GNUcitizen blog adds that the "jar: content run within the scope/origin of the secondary URL. Therefore, a URL like this: jar:https:// example.com/test.jar!/t.htm, will render a page which executes within the origin

GNUCitizen also showed a proof of concept demo which illustrates how Gmail user contact book might be compromised and ransacked using the approach.

Intriguingly though, this issue was added as an extension to an existing bug on Mozilla dedicated bug squashing website.

Softpedia provided a quick way of avoiding being compromised : Just install a noscript extension which would allow Firefox users to disable scripts on certain websites.