Firefox, Firefox ESR and Thunderbird are vulnerable to cross-site scripting (XSS) attacks. A remote user can bypass inline JavaScript Content Security Policy (CSP) and cause event handlers on marquee elements to be executed resulting in arbitrary code to execution. The affected component is Marquee Tag Handler
.
rhn.redhat.com/errata/RHSA-2016-2946.html
rhn.redhat.com/errata/RHSA-2016-2973.html
www.securityfocus.com/bid/94885
www.securitytracker.com/id/1037461
access.redhat.com/errata/RHSA-2016:2973
access.redhat.com/security/updates/classification/#important
bugzilla.mozilla.org/show_bug.cgi?id=1312272
security.gentoo.org/glsa/201701-15
www.debian.org/security/2017/dsa-3757
www.mozilla.org/security/advisories/mfsa2016-94/
www.mozilla.org/security/advisories/mfsa2016-95/
www.mozilla.org/security/advisories/mfsa2016-96/