Improper Whitelist in Mozilla Firefox Reader View Allows XSS Attacks via SVG Animations

Improper Whitelist in Mozilla Firefox Reader View Allows XSS Attacks via SVG Animations

CVE-2015-4518 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

The Reader View implementation in Mozilla Firefox before 42.0 has an improper whitelist, which makes it easier for remote attackers to bypass the Content Security Policy (CSP) protection mechanism and conduct cross-site scripting (XSS) attacks via vectors involving SVG animations and the about:reader URL.

Learn more about our Cis Benchmark Audit For Mozilla Firefox.