Mozilla Foundation Security Advisory 2016-17

Local file overwriting and potential privilege escalation through CSP reports

March 8, 2016
Nicolas Golubovic
Firefox, Firefox ESR, Thunderbird
Fixed in
  • Firefox 45
  • Firefox ESR 38.7
  • Thunderbird 38.7
  • Thunderbird 45


Security researcher Nicolas Golubovic reported that a malicious page can overwrite files on the user's machine using Content Security Policy (CSP) violation reports. The file contents are restricted to the JSON format of the report. In many cases overwriting a local file may simply be destructive, breaking the functionality of that file. The CSP error reports can include HTML fragments which could be rendered by browsers. If a user has disabled add-on signing and has installed an "unpacked" add-on, a malicious page could overwrite one of the add-on resources. Depending on how this resource is used, this could lead to privilege escalation.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.