Mozilla Foundation Security Advisory 2015-40

Same-origin bypass through anchor navigation

Announced
March 31, 2015
Reporter
Olli Pettay, Boris Zbarsky
Impact
High
Products
Firefox, Firefox ESR, Firefox OS, SeaMonkey, Thunderbird
Fixed in
  • Firefox 37
  • Firefox ESR 31.6
  • Firefox OS 2.2
  • SeaMonkey 2.35
  • Thunderbird 31.6

Description

Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass same-origin policy protections to run scripts in a privileged context. This newer variant found that the same flaw could be used during anchor navigation of a page, allowing bypassing of same-origin policy protections.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References