Mozilla Foundation Security Advisory 2015-92

Use-after-free in XMLHttpRequest with shared workers

Announced
August 11, 2015
Reporter
Looben Yang
Impact
High
Products
Firefox, Firefox ESR, Firefox OS, SeaMonkey
Fixed in
  • Firefox 40
  • Firefox ESR 38.2
  • Firefox OS 2.5
  • SeaMonkey 2.35

Description

Security researcher Looben Yang discovered a use-after-free vulnerability when recursively calling .open() on an XMLHttpRequest in a SharedWorker.

References