Endpoint Vulnerability

User-defined properties on DOM proxies get the wrong 'this' object

Description

Mozilla developer Boris Zbarsky reported that user-defined getters on DOM proxies would incorrectly get the expando object as this. It is unlikely that this is directly exploitable but could lead to JavaScript client or add-on code making incorrect security sensitive decisions based on hacker supplied values.

Affected Products

Firefox,Firefox ESR

References

CVE-2013-1737,