Igrigorik

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 43.0 **Description** The issue is related to improper access restriction to the IFRAME Resource Timing API in the browser. This can be exploited by a remote attacker to bypass the existing access policy or obtain confidential information using specially crafted JavaScript code. The exploitation involves using `history.back` and `performance.getEntries` calls. **Recommendations** For versions prior to 43.0, update to version 43.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the IFRAME Resource Timing API until a patch is available. Avoid using the `performance.getEntries` function in conjunction with `history.back` calls in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 45.0.2454.85 Opera versions prior to 45.0.2454.85 **Description** The issue is related to the FrameFetchContext::updateTimingInfoForIFrameNavigation function in the Blink component of Google Chrome, which does not properly restrict the availability of IFRAME Resource Timing API times. This allows remote attackers to obtain sensitive information via crafted JavaScript code that leverages a history.back call. The vulnerability can be exploited by a remote attacker to gain access to protected information. **Recommendations** For Google Chrome versions prior to 45.0.2454.85, update to version 45.0.2454.85 or later to resolve the issue. For Opera versions prior to 45.0.2454.85, update to a version that includes the fix for this issue, as the exact version is not specified. As a temporary workaround, consider restricting the use of the `history.back` call in crafted JavaScript code to minimize the risk of exploitation.