Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2016-47

Write to invalid HashMap entry through JavaScript.watch()

Announced
April 26, 2016
Reporter
CESG
Impact
High
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 46
  • Firefox ESR 38.8
  • Firefox ESR 45.1

Description

The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch() method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The overflow takes considerable time and a malicious page would require a user to keep it open for the duration of the attack.

References