Arch Linux Security Advisory ASA-201602-12 ========================================== Severity: High Date : 2016-02-13 CVE-ID : CVE-2016-1949 Package : firefox Type : same-origin policy bypass Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 44.0.2-1 is vulnerable to same-origin policy bypass. Resolution ========== Upgrade to 44.0.2-1. # pacman -Syu "firefox>=44.0.2-1" The problem has been fixed upstream in version 44.0.2. Workaround ========== None. Description =========== Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin. Impact ====== A remote attacker might be able to bypass the same-origin policy and gain access to sensitive information. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/ https://access.redhat.com/security/cve/CVE-2016-1949