Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.
Security researcher Johnathan Kuskos reported that Firefox is sending data in the body of XMLHttpRequest (XHR) HEAD requests, which goes against the XHR specification. This can potentially be used for Cross-Site Request Forgery (CSRF) attacks against sites which do not distinguish between HEAD and POST requests.
Security researcher Paul Stone of <ahref="http://www.contextis.co.uk/">Context Information Security discovered that timing differences in the processing of SVG format images with filters could allow for pixel values to be read. This could potentially allow for text values to be read across domains, leading to information disclosure.
Mozilla developer Boris Zbarsky found that when PreserveWrapper was used in cases where a wrapper is not set, the preserved-wrapper flag on the wrapper cache is cleared. This could potentially lead to an exploitable crash.
Mozilla community member Bob Owen reported that <iframe sandbox> restrictions are not applied to a frame element contained within a sandboxed iframe. As a result,content hosted within a sandboxed iframe could use a frame element to bypass the restrictions that should be applied.
Bugzilla developer Frédéric Buclin reported that the X-Frame-Options header is ignored when server push is used in multi-part responses. This can lead to potential clickjacking on sites that use X-Frame-Options as a protection.
Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue . This can lead to unexpected behavior when privileged code acts on the incorrect values.
Mozilla engineer Matt Wobensmith discovered that when the getUserMedia permission dialog for an iframe appears in one domain, it will display its origin as that of the top-level document and not the calling framed page. This could lead to users incorrectly giving camera or microphone permissions when confusing the requesting page"s location for a hosting one"s.
Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson thatVerisign"s prevention measures for homograph attacks using InternationalizedDomain Names (IDN) were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox. IDN allows non-English speakers to use domains in their local language. Manysupported characters are ...
Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when generating a Certificate Request Message Format (CRMF) request with certain parameters. This causes a potentially exploitable crash.