Your system may not meet the requirements for Firefox, but you can try one of these versions:

Your system doesn't meet the requirements to run Firefox.

Your system doesn't meet the requirements to run Firefox.

Please follow these instructions to install Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2015-136

Same-origin policy violation using performance.getEntries and history navigation

Announced
December 15, 2015
Reporter
cgvwzq
Impact
High
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 43
  • Firefox ESR 38.7

Description

Security researcher cgvwzq reported that it is possible to read cross-origin URLs following a redirect if performance.getEntries() is used along with an iframe to host a page. Navigating back in history through script, content is pulled from the browser cache for the redirected location instead of going to the original location. This is a same-origin policy violation and could allow for data theft.

This issue affects other browsers as well and is not limited to Mozilla products.

References