Mozilla Foundation Security Advisory 2015-135

Crash with JavaScript variable assignment with unboxed objects

Announced
December 15, 2015
Reporter
Cajus Pollmeier
Impact
High
Products
Firefox
Fixed in
  • Firefox 43

Description

Security researcher Cajus Pollmeier reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash when triggered by JavaScript content as well as leading to errors on some websites.

This crash was caused by a change to the JavaScript engine was first shipped in Firefox 41. Earlier versions of Firefox are unaffected by this problem, including Firefox ESR 38.

References