CVE-2015-4490

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 40.0

Description The issue arises from the nsCSPHostSrc::permits function in Mozilla Firefox, which does not implement Content Security Policy Level 2 exceptions for certain URL schemes during wildcard source-expression matching. This could make it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging unexpected policy-enforcement behavior. The vulnerability might allow a remote attacker to inject arbitrary HTML code.

Recommendations For versions prior to 40.0, update to version 40.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources to minimize the risk of exploitation. Avoid using the vulnerable function nsCSPHostSrc::permits until a patch is available.