Cross-origin information leak through web workers
- February 4, 2014
- Masato Kinugawa
- Firefox, Firefox ESR, SeaMonkey, Thunderbird
- Fixed in
- Firefox 27
- Firefox ESR 24.3
- SeaMonkey 2.24
- Thunderbird 24.3
Security researcher Masato Kinugawa reported a cross-origin information leak through web workers' error messages. This violates same-origin policy and the leaked information could potentially be used to gather authentication tokens and other data from third-party websites.
In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled in mail, but is potentially a risk in browser or browser-like contexts.