CVE-2013-1675

What is Mozilla Firefox?

Mozilla Firefox is an open-source web browser with hundreds of millions of users. Firefox's SVG (Scalable Vector Graphics) implementation supports DOM events including the SVGZoom event, which fires when the user zooms an SVG document embedded in a web page. Firefox's JavaScript engine exposes SVG zoom event objects — including their previousScale and newScale properties — to web page scripts through the DOM API.

Overview

CVE-2013-1675 is an improper initialization vulnerability (CWE-665) in Mozilla Firefox's implementation of SVG zoom events. The nsDOMSVGZoomEvent object's mPreviousScale and mNewScale member variables are not properly initialized before being exposed to JavaScript. A crafted web page can read these uninitialized values through a SVGZoom event handler, leaking raw data from Firefox's process memory — potentially including pointers, heap metadata, or other sensitive content — to the attacker's JavaScript.

Mozilla patched this vulnerability in Firefox 21 and Thunderbird 17.0.6 via security advisory MFSA 2013-46.

Affected Versions

Technical Details

The nsDOMSVGZoomEvent C++ class represents the DOM SVGZoom event and exposes previousScale and newScale float properties. These are stored as C++ member variables (mPreviousScale, mNewScale). The flaw is that these members are not initialized to zero (or any defined value) in the constructor before the event object is dispatched to JavaScript.

When a web page triggers an SVG zoom event, the event object is created on the stack or heap with uninitialized memory for these fields. JavaScript reading event.previousScale or event.newScale receives whatever bytes happened to be at those memory locations — not a meaningful scale value.

Exploitation impact: An attacker-controlled web page can read floating-point values from uninitialized memory at each SVG zoom event, systematically leaking memory contents. While information disclosure alone isn't code execution, process memory leaks in browsers frequently serve as a component of more complex attacks:

• Leaking heap pointers breaks ASLR, providing an address to target in a follow-on memory corruption exploit
• Leaking stack data can reveal return addresses or canary values
• Memory contents may include credentials, cookies, or other sensitive data

Discovery

Reported to Mozilla as part of the May 2013 Firefox security release cycle. Fixed in MFSA 2013-46.

Exploitation Context

CISA added this to the KEV catalog in March 2022, confirming exploitation in the wild. Information disclosure vulnerabilities like this one are commonly used as ASLR-defeat components in multi-stage browser exploit chains — providing the memory layout information needed to reliably land a follow-on memory corruption exploit.

Remediation

1. Update Firefox to version 21 or later — MFSA 2013-46 patches this vulnerability
2. Update Thunderbird to 17.0.6 or later for email-based HTML content
3. Modern Firefox versions include substantially hardened memory safety, making this class of uninitialized-memory information disclosure far less useful even when present
4. Enable automatic Firefox updates to receive security patches promptly