CVE-2015-2731

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 39.0 Mozilla Firefox ESR versions 38.x prior to 38.1 Thunderbird versions prior to 38.1

Description The issue is related to a use-after-free vulnerability in the CSPService::ShouldLoad function, which can be exploited by remote attackers to execute arbitrary code on the client side. This is achieved by leveraging client-side JavaScript that triggers the removal of a DOM object based on a Content Policy, allowing for manipulation of the DOM object. The vulnerability is associated with the use of memory after it has been freed.

Recommendations For Mozilla Firefox versions prior to 39.0, update to version 39.0 or later. For Mozilla Firefox ESR versions 38.x prior to 38.1, update to version 38.1 or later. For Thunderbird versions prior to 38.1, update to version 38.1 or later. As a temporary workaround, consider restricting the use of client-side JavaScript that triggers the removal of DOM objects based on Content Policy until a patch is available.