You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2014-09

Mozilla Foundation Security Advisory 2014-09

Title: Cross-origin information leak through web workers
Impact: High
Announced: February 4, 2014
Reporter: Masato Kinugawa
Products: Firefox, Thunderbird, Seamonkey

Fixed in: Firefox 27
  Firefox ESR 24.3
  Thunderbird 24.3
  Seamonkey 2.24

Description

Security researcher Masato Kinugawa reported a cross-origin information leak through web workers' error messages. This violates same-origin policy and the leaked information could potentially be used to gather authentication tokens and other data from third-party websites.

In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled in mail, but is potentially a risk in browser or browser-like contexts.

References