CVE-2010-0178 in Firefox
Summary
by MITRE
Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL and then loading a javascript: URL.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/05/2026
This vulnerability exists in multiple versions of Mozilla Firefox and SeaMonkey browsers where the security model fails to properly isolate privileged chrome URLs from untrusted content. The flaw stems from inadequate handling of mouse event interpretation during drag-and-drop operations, allowing malicious applets to manipulate the browser's privilege context. When a chrome: URL is loaded followed by a javascript: URL, the browser's event processing mechanism incorrectly interprets user interactions, enabling attackers to escalate privileges and execute arbitrary JavaScript code with chrome privileges. This represents a critical cross-site scripting vulnerability that bypasses the browser's security sandbox mechanisms.
The technical implementation of this vulnerability leverages the browser's event handling system where mouse click events intended for standard web content are incorrectly processed as drag-and-drop operations. This misinterpretation occurs because the browser fails to properly validate the security context when processing mouse events during the transition between chrome and javascript URLs. The vulnerability specifically affects the drag-and-drop API implementation where the event flow is not properly secured against malicious input. According to CWE-20, this represents a weakness in input validation where the application fails to properly handle user-supplied data that affects the control flow of the application.
The operational impact of this vulnerability is severe as it allows remote attackers to execute arbitrary code with elevated privileges that are normally restricted to the browser's own components. An attacker can construct a malicious web page that loads a chrome: URL which then loads a javascript: URL, effectively bypassing the normal security boundaries between user content and privileged browser operations. This creates a pathway for attackers to access sensitive browser functionality, potentially leading to complete system compromise through privilege escalation. The vulnerability affects a wide range of browser versions and can be exploited through various attack vectors including phishing campaigns, malicious websites, and social engineering techniques.
Mitigation strategies should focus on immediate browser updates to patched versions where Mozilla has addressed the event handling and privilege escalation issues. Organizations should implement strict browser security policies and consider using security extensions that monitor and restrict chrome URL access. Network-level protections such as web application firewalls can help detect and block known attack patterns, while security awareness training can help users recognize potential phishing attempts. According to ATT&CK framework, this vulnerability maps to T1059.007 for JavaScript execution and T1068 for privilege escalation through application vulnerabilities. Regular security assessments should verify that browsers are updated to versions that properly implement security boundaries between different URL schemes and prevent improper event propagation between privileged and unprivileged contexts.