Security researchers Linus Särud and Matthew Bryant hav recently discovered some pretty big holes in NoScript, a popular Firefox plugin that prevents executable web content such as JavaScript, Java, Flash, and other plugins to be loaded from sites users haven't designated as "trusted".
The vulnerabilities have been spotted in the plugin's whitelist, which is, by default, filled with some popular sites. Other sites can be added manually by the users themselves.
Bryant
discovered that the whitelist automatically includes all subdomains (if they are not preceded by
http(s)://) of the trusted domains. Also, after checking each default trusted domain he also discovered that one of them -
zendcdn.net - had expired!
