CVE-2013-1690

What is Mozilla Firefox?

Mozilla Firefox is an open-source web browser used by hundreds of millions of people. Firefox implements XMLHttpRequest (XHR) — the JavaScript API for asynchronous HTTP requests — and fires readystatechange events as XHR responses are received. These events are handled in the browser's event loop, which also manages DOM operations including page navigation and reloading.

Overview

CVE-2013-1690 is a memory corruption vulnerability (CWE-119) in how Mozilla Firefox and Thunderbird handle onreadystatechange events in conjunction with page reloading. When a JavaScript onreadystatechange handler triggers a page reload while an XHR request is in-flight, a use-after-free condition can occur as the browser accesses the in-flight XHR object after its underlying memory has been released during the navigation. This can result in exploitable memory corruption allowing arbitrary code execution.

Mozilla patched this in Firefox 22 and Thunderbird 17.0.7 via security advisory MFSA 2013-53.

Affected Versions

Technical Details

Firefox's XHR implementation fires readystatechange events as an HTTP request progresses through states (OPENED, HEADERS_RECEIVED, LOADING, DONE). The vulnerability occurs at the interaction between XHR event dispatch and page navigation:

1. A page initiates an XHR request with an onreadystatechange handler
2. In the onreadystatechange handler, JavaScript triggers a page reload or navigation
3. The navigation begins tearing down the current page context — including XHR objects — while the XHR event dispatch is still in progress
4. Firefox subsequently accesses the freed XHR object when completing the event dispatch sequence, triggering memory corruption (CWE-119)

The resulting crash can be exploitable: an attacker who controls the heap layout (via JavaScript heap spray) may redirect execution into attacker-controlled data when the freed pointer is dereferenced. The CVSS score of 8.8 (full C/I/A) reflects the full RCE potential.

Thunderbird exposure: The vulnerability also affects Thunderbird because Thunderbird uses the Gecko rendering engine (shared with Firefox) to render HTML email. A malicious HTML email with embedded JavaScript performing XHR could trigger the vulnerability in Thunderbird — though Thunderbird applies stricter JavaScript restrictions than Firefox for remote content.

Discovery

Discovered through internal Mozilla security research and fuzzing. Fixed as part of the June 2013 Firefox 22 release cycle in MFSA 2013-53.

Exploitation Context

CISA confirmed in-the-wild exploitation. Browser XHR race-condition vulnerabilities of this type are attractive to exploit kit authors because the trigger is pure JavaScript with no plugins required. The vulnerability was relevant to the 2013 timeframe when exploit kits like Blackhole actively incorporated Mozilla Firefox vulnerabilities alongside Internet Explorer and Java flaws.

Remediation

1. Update Firefox to version 22 or later — MFSA 2013-53 patches this vulnerability
2. Update Thunderbird to 17.0.7 or later
3. Enable automatic updates for Firefox and Thunderbird
4. For organizations running older Firefox ESR branches, prioritize upgrading to current ESR
5. Consider Content Security Policy (CSP) deployment on internal web applications to restrict XHR origins and reduce attack surface