Firefox Health Reports could accept events from untrusted domains

ID MFSA2016-48
Type mozilla
Reporter Mozilla Foundation
Modified 2016-04-26T00:00:00


Mozilla engineer Mark Goodwin discovered that the Firefox Health Report (about:healthreport) accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, this content could change the sharing preferences of a user by firing the appropriate events at it s containing page.