Mozilla Foundation Security Advisory 2015-149

Cross-site reading attack through data and view-source URIs

Announced
December 15, 2015
Reporter
Tsubasa Iinuma
Impact
Critical
Products
Firefox, Firefox ESR, Firefox OS, Thunderbird
Fixed in
  • Firefox 43
  • Firefox ESR 38.5
  • Firefox OS 2.5
  • Thunderbird 38.5

Description

Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-source: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References