Mozilla Foundation Security Advisory 2015-56

Untrusted site hosting trusted page can intercept webchannel responses

Announced
May 12, 2015
Reporter
Mark Hammond
Impact
High
Products
Firefox, Firefox OS, SeaMonkey
Fixed in
  • Firefox 38
  • Firefox OS 2.2
  • SeaMonkey 2.35

Description

Mozilla developer Mark Hammond reported a flaw in how WebChannel.jsm handles message traffic. He found that when a trusted page is hosted within an <iframe> on an untrusted third-party untrusted framing page, the untrusted page could intercept webchannel responses meant for the trusted page, bypassing origin restrictions.

References