The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm.
lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html
lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html
lists.opensuse.org/opensuse-updates/2014-11/msg00001.html
lists.opensuse.org/opensuse-updates/2014-11/msg00002.html
rhn.redhat.com/errata/RHSA-2014-1635.html
secunia.com/advisories/61854
secunia.com/advisories/62022
secunia.com/advisories/62023
www.debian.org/security/2014/dsa-3050
www.mozilla.org/security/announce/2014/mfsa2014-82.html
www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
www.securityfocus.com/bid/70424
www.securitytracker.com/id/1031028
www.securitytracker.com/id/1031030
www.ubuntu.com/usn/USN-2372-1
advisories.mageia.org/MGASA-2014-0421.html
bugzilla.mozilla.org/show_bug.cgi?id=1015540
security.gentoo.org/glsa/201504-01