### [CVE-2007-5947](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI.

### POC

#### Reference
- http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues
- http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9873

#### Github
No PoCs found on GitHub currently.