Cross domain access to object constructors can be used to facilitate cross-site scripting – Opera Security Advisories




JavaScripts are able to redefine and override the methods of native objects. They may also do this with the native objects of any document that shares the same origin. By redefining the methods of another document through the constructor property of the document’s host objects, a malicious script can cause Opera to override methods of native objects in documents from different origins. When scripts in those target documents then access those methods, they run the scripts defined by the malicious document, in the context of the target site. This allows cross-site scripting (XSS) attacks.

Opera’s Response

Opera Software has released Opera 12.10, where this issue has been fixed.


Thanks to Gareth Heyes for reporting this issue to Opera Software.