PT-2016-1450 · Mozilla+3 · Firefox+3

Jordi Chancel

Publicado

2016-03-08

Atualizado

2024-12-12

CVE-2016-1967

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 45.0

Description The issue is related to an incomplete restriction of IFRAME Resource Timing API times, allowing remote attackers to bypass the Same Origin Policy and obtain sensitive information. This can be achieved through crafted JavaScript code that leverages history.back and performance.getEntries calls after restoring a browser session.

Recommendations For versions prior to 45.0, update to version 45.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of IFRAME elements and limiting access to the performance.getEntries function until a patch is applied. Avoid using the history.back function in conjunction with performance.getEntries calls after restoring a browser session to minimize the risk of exploitation.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

ALT-PU-2016-1277

ALT-PU-2016-1454

BDU:2016-00751

CVE-2016-1967

OPENSUSE-SU-2016_0731-1

OPENSUSE-SU-2016_0733-1

OPENSUSE-SU-2024:10071-1

OPENSUSE-SU-2024:14572-1

USN-2917-1

USN-2917-2

USN-2917-3

Produtos afetados

Alt Linux

Firefox

Suse

Ubuntu

PT-2016-1450 · Mozilla+3 · Firefox+3

CVE-2016-1967

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 2116