Mozilla Foundation Security Advisory 2016-48

Firefox Health Reports could accept events from untrusted domains

Announced

April 26, 2016

Reporter

Mark Goodwin

Impact

Moderate

Products

Firefox

Fixed in

Firefox 46

Description

Mozilla engineer Mark Goodwin discovered that the Firefox Health Report (about:healthreport) accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, this content could change the sharing preferences of a user by firing the appropriate events at it s containing page.

References

FHR accepts events from untrusted domains (CVE-2016-2820)

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising