Same-origin bypass through anchor navigation
- March 31, 2015
- Olli Pettay, Boris Zbarsky
- Firefox, Firefox ESR, Firefox OS, SeaMonkey, Thunderbird
- Fixed in
- Firefox 37
- Firefox ESR 31.6
- Firefox OS 2.2
- SeaMonkey 2.35
- Thunderbird 31.6
Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass same-origin policy protections to run scripts in a privileged context. This newer variant found that the same flaw could be used during anchor navigation of a page, allowing bypassing of same-origin policy protections.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.