
Undetectable remote arbitrary code execution through JavaScript and HTTP headers - zeveb
https://bugzilla.mozilla.org/show_bug.cgi?id=1487081
======
rauhl
A Mozilla team member closed it as invalid, pointing to an online discussion
of the bug as a reason why a bug isn’t necessary[0].

Interestingly, this ‘just once’ attack is why Firefox Accounts are broken as
designed: it’s possible for Mozilla to target a user, just once, with
malicious JavaScript which steals his Firefox Account password. Mozilla could
do this of their own accord, could be suborned by a malicious employee but
even more likely could be ordered to do so by any government which has that
authority.

0:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1487081#c3](https://bugzilla.mozilla.org/show_bug.cgi?id=1487081#c3)

