Mozilla Foundation Security Advisory 2014-81

Inconsistent video sharing within iframe

Announced
October 14, 2014
Reporter
Eric Shepherd, Jan-Ivar Bruaroey
Impact
Moderate
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird
Fixed in
  • Firefox 33
  • Firefox ESR 31.2
  • SeaMonkey 2.30
  • Thunderbird 31.2

Description

Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video sharing using WebRTC. Once video sharing has started within a WebRTC session running within an <iframe>, video will continue to be shared even if the user selects the &quote;Stop Sharing" button in the controls. The camera will also remain on even if the user navigates to another site and will begin streaming again if the user returns to the original site. This is a privacy problem and can lead to inadvertent video streaming. This does not affect implementations that are not within an <iframe>.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References