Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to bypass the HTML5 frame-navigation policy and replace arbitrary sub-frames by creating a form submission target with a sub-frames name attribute.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Firefox | Mozilla | 4.0 (including) | 4.0 (including) |
| Firefox | Mozilla | 4.0-beta1 (including) | 4.0-beta1 (including) |
| Firefox | Mozilla | 4.0-beta10 (including) | 4.0-beta10 (including) |
| Firefox | Mozilla | 4.0-beta11 (including) | 4.0-beta11 (including) |
| Firefox | Mozilla | 4.0-beta12 (including) | 4.0-beta12 (including) |
| Firefox | Mozilla | 4.0-beta2 (including) | 4.0-beta2 (including) |
| Firefox | Mozilla | 4.0-beta3 (including) | 4.0-beta3 (including) |
| Firefox | Mozilla | 4.0-beta4 (including) | 4.0-beta4 (including) |
| Firefox | Mozilla | 4.0-beta5 (including) | 4.0-beta5 (including) |
| Firefox | Mozilla | 4.0-beta6 (including) | 4.0-beta6 (including) |
| Firefox | Mozilla | 4.0-beta7 (including) | 4.0-beta7 (including) |
| Firefox | Mozilla | 4.0-beta8 (including) | 4.0-beta8 (including) |
| Firefox | Mozilla | 4.0-beta9 (including) | 4.0-beta9 (including) |
| Firefox | Mozilla | 4.0.1 (including) | 4.0.1 (including) |
| Firefox | Mozilla | 5.0 (including) | 5.0 (including) |
| Firefox | Mozilla | 5.0.1 (including) | 5.0.1 (including) |
| Firefox | Mozilla | 6.0 (including) | 6.0 (including) |
| Firefox | Mozilla | 6.0.1 (including) | 6.0.1 (including) |
| Firefox | Mozilla | 6.0.2 (including) | 6.0.2 (including) |
| Firefox | Mozilla | 7.0 (including) | 7.0 (including) |
| Firefox | Mozilla | 8.0 (including) | 8.0 (including) |
| Firefox | Mozilla | 8.0.1 (including) | 8.0.1 (including) |
| Firefox | Mozilla | 9.0 (including) | 9.0 (including) |