Mozilla Foundation Security Advisory 2015-108

Scripted proxies can access inner window

Announced
September 22, 2015
Reporter
André Bargull
Impact
Moderate
Products
Firefox, Firefox OS, SeaMonkey
Fixed in
  • Firefox 41
  • Firefox OS 2.5
  • SeaMonkey 2.38

Description

Security researcher André Bargull reported that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window in violation of the specification.

References