SVG filters information disclosure through feDisplacementMap
- March 18, 2014
- Robert O'Callahan
- Firefox, Firefox ESR, SeaMonkey, Thunderbird
- Fixed in
- Firefox 28
- Firefox ESR 24.4
- SeaMonkey 2.25
- Thunderbird 24.4
Mozilla developer Robert O'Callahan reported a mechanism for
timing attacks involving SVG filters and displacements input to
feDisplacementMap. This allows displacements to potentially be
correlated with values derived from content. This is similar to the previously
reported techniques used for SVG timing attacks and could allow for text values
to be read across domains, leading to information disclosure.
In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts.