Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xwn1-qre7-k7cc
Vulnerability ID VCID-xwn1-qre7-k7cc
Aliases CVE-2009-3985
Summary Security researcher Jonathan Morgan reported that when a page loaded over an insecure protocol, such as http: or file:, sets its document.location to a https: URL which responds with a 204 status and empty response body, the insecure page will receive SSL indicators near the location bar, but will not have its page content modified in any way. This could lead to a user believing they were on a secure page when in fact they were not.Security researcher Jordi Chancel reported an issue similar to one fixed in mfsa2009-44 in which a web page can set document.location to a URL that can't be displayed properly and then inject content into the resulting blank page. An attacker could use this vulnerability to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the page, resulting in a spoofing attack.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.00461 https://api.first.org/data/v1/epss?cve=CVE-2009-3985
generic_textual none https://www.mozilla.org/en-US/security/advisories/mfsa2009-69
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3985.json
https://api.first.org/data/v1/epss?cve=CVE-2009-3985
546726 https://bugzilla.redhat.com/show_bug.cgi?id=546726
CVE-2009-3985 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3985
GLSA-201301-01 https://security.gentoo.org/glsa/201301-01
mfsa2009-69 https://www.mozilla.org/en-US/security/advisories/mfsa2009-69
RHSA-2009:1674 https://access.redhat.com/errata/RHSA-2009:1674
USN-873-1 https://usn.ubuntu.com/873-1/
USN-874-1 https://usn.ubuntu.com/874-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.64461
EPSS Score 0.00461
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:27:40.913085+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2009/mfsa2009-69.md 38.6.0