Use-after-free in Content Policy due to microtask execution error
- July 2, 2015
- Firefox, Firefox ESR, SeaMonkey, Thunderbird
- Fixed in
- Firefox 39
- Firefox ESR 38.1
- SeaMonkey 2.35
- Thunderbird 38.1
Security researcher Herre reported a use-after-free vulnerability when a Content Policy modifies the Document Object Model to remove a DOM object, which is then used afterwards due to an error in microtask implementation. This leads to an exploitable crash.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.