CVE-2017-7787

CVE-2017-7787 is a same-origin policy bypass vulnerability affecting Thunderbird and Firefox browsers. Affected products include Thunderbird versions older than 52.3, Firefox ESR older than 52.3, and Firefox older than 55. The issue occurs on pages with embedded iframes during page reloads, allow...

CVE-2017-7830

CVE-2017-7830 involves a cross-origin information disclosure through the Resource Timing API that could reveal navigations loaded in iframes, constituting a same-origin policy violation. Public documentation in Debian and CVE databases tie this to WebKit-related handling in Safari/WebKit componen...

CVE-2017-5407

Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information...

CVE-2017-7759

Firefox for Android prior to version 54 is affected by CVE-2017-7759, where Android intent URLs can cause navigation from HTTP/HTTPS to local file: URLs, potentially exposing local data due to a same-origin policy violation. The issue is fixed in Firefox 54 (as noted in mfsa2017-15). Affected pro...

CVE-2017-7787

Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird 52.3, Firefox ESR 52.3, and Firefox 55...

CVE-2018-5116

WebExtensions with the "ActiveTab" permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, bypassing same-origin user expectations with th...

CVE-2018-5157

Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR 52.8 an...

CVE-2018-5157

CVE-2018-5157 affects Mozilla Firefox prior to 60.0 (including ESR

CVE-2016-9078

CVE-2016-9078 affects Mozilla Firefox prior to the 50.0.2 update. The issue is a redirect from an HTTP connection to a data: URL that can cause the data: URL to inherit the referring site’s origin, enabling potential same-origin policy violations when loading resources from malicious sites. Cross...

CVE-2016-5291

CVE-2016-5291 is a local-bypass vulnerability where a attacker could load arbitrary local content by abusing local shortcut files, bypassing same-origin policy in Mozilla Firefox and Thunderbird products. Public details in connected docs indicate affected versions include Thunderbird < 45.5, F...

CVE-2017-7759

Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local "file:" URLs, allowing for the reading of local data through a violation of same-origin policy. Note: This attack only affects Firefox for Android. Other operating systems are not affected...

CVE-2018-5136

CVE-2018-5136 describes a policy bypass in Mozilla Firefox where a shared worker created from a "data:" URL in one tab can be shared with another tab from a different origin, bypassing the same-origin policy. This affects Firefox versions earlier than 59. The bug is that a data URL-based shared w...

CVE-2018-5136

A shared worker created from a "data:" URL in one tab can be shared by another tab with a different origin, bypassing the same-origin policy. This vulnerability affects Firefox 59...

CVE-2017-7797

Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin. This vulnerability affects Firefox 55...

CVE-2017-5407

Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information...

CVE-2017-7787

Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird 52.3, Firefox ESR 52.3, and Firefox 55...

CVE-2017-7759

Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local "file:" URLs, allowing for the reading of local data through a violation of same-origin policy. Note: This attack only affects Firefox for Android. Other operating systems are not affected...

CVE-2016-9078

Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without t...

CVE-2017-7797

Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin. This vulnerability affects Firefox 55...

CVE-2016-5291

A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird 45.5, Firefox ESR 45.5, and Firefox 50...