Arbitrary JavaScript Code Execution via Resource: URLs in Mozilla Firefox and Thunderbird

Arbitrary JavaScript Code Execution via Resource: URLs in Mozilla Firefox and Thunderbird

CVE-2015-0816 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.

Learn more about our Cis Benchmark Audit For Google Chrome.