CVE-2016-5260

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 48.0

Description The issue is caused by an integer overflow in the WebSocketChannel class of the Firefox browser's WebSockets subsystem. Exploitation of this issue may allow a remote attacker to execute arbitrary code or cause a denial of service (memory corruption) by using specially crafted packets that trigger incorrect buffer resize operations during the buffering procedure. Additionally, the browser mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, potentially allowing attackers to discover cleartext passwords by reading a session restoration file.

Recommendations For versions prior to 48.0, update to version 48.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of WebSockets or disabling the WebSocketChannel class until a patch is available. Avoid using sensitive information in INPUT fields that may be saved in session restoration files.