[arch-security] [ASA-201602-12] firefox: same-origin policy bypass
rgacogne at archlinux.org
Sat Feb 13 20:56:49 UTC 2016
Arch Linux Security Advisory ASA-201602-12
Date : 2016-02-13
CVE-ID : CVE-2016-1949
Package : firefox
Type : same-origin policy bypass
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package firefox before version 44.0.2-1 is vulnerable to same-origin
Upgrade to 44.0.2-1.
# pacman -Syu "firefox>=44.0.2-1"
The problem has been fixed upstream in version 44.0.2.
Jason Pang of OneSignal reported that service workers intercept
responses to plugin network requests made through the browser. Plugins
which make security decisions based on the content of network requests
can have these decisions subverted if a service worker forges responses
to those requests. For example, a forged crossdomain.xml could allow a
malicious site to violate the same-origin policy using the Flash plugin.
A remote attacker might be able to bypass the same-origin policy and
gain access to sensitive information.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security