sIFR 2.0.5 has been released. Please upgrade to sIFR 2.0.5.
Yesterday, a security vulnerability was found in sIFR 2 and 3. Malicious websites can trick visitors into running JavaScript code on domains hosting sIFR movies. No exploits are known. If you are currently using sIFR 2, you are advised to update to version 2.0.3.
You’ll need to update the sifr.js file and re-export the sIFR movies.
Detailed description
sIFR passes the text it has to render to the Flash movie using Flash variables. Normally these variables are specified using a flashvars parameter, however they can also be passed using the query string. Malicious websites can craft an iframe which points to a sIFR movie on the target domain. An HTML link to some JavaScript code can be passed to the movie through the query string. When a visitor of the malicious website clicks on the link, the code is run on the domain the movie resides. Vulnerable browsers are Firefox, Safari, Opera and Netscape. This specific attack does not work in Internet Explorer. An alternative attack is to load the movie directly or in a popup window, this does work in Internet Explorer.
sIFR 2.0.3 prevents this attack by not rendering any content that is passed through the query string. Credit goes to Arseny Vesnin for finding the vulnerability.
Other changes since version 2.0.2
- sIFR has been disabled for Safari 1.0.
- If the
innerHTMLof an element containing a sIFR movie changes, the sIFR movie will fail to render. Upgrade to sIFR 3 to fix this.
sIFR 2.0.5 has been released. Please upgrade to sIFR 2.0.5.