Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 503
Alerts This Week
Warning Icon 1 503

Arch Linux 201510-10 High Severity: Firefox Cross-Origin Access Risk

Archlinux Large Esm H446
The package firefox before version 41.0.2-1 is vulnerable to cross-origin restriction bypass.
Arch Linux Security Advisory ASA-201510-10
=========================================
Severity: High
Date    : 2015-10-16
CVE-ID  : CVE-2015-7184
Package : firefox
Type    : cross-origin restriction bypass
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package firefox before version 41.0.2-1 is vulnerable to
cross-origin restriction bypass.

Resolution
=========
Upgrade to 41.0.2-1.

# pacman -Syu "firefox>=41.0.2-1"

The problem has been fixed upstream in version 41.0.2.

Workaround
=========
None.

Description
==========
Security researcher Abdulrahman Alqabandi reported that the fetch() API
did not correctly implement the Cross-Origin Resource Sharing (CORS)
specification, allowing a malicious page to access private data from
other origins. Mozilla developer Ben Kelly independently reported the
same issue.

Impact
=====
A remote attacker can bypass the cross-origin resource sharing policy to
access sensitive information.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/
https://www.cve.org/CVERecord?id=CVE-2015-7184