PT-2016-1450 · Mozilla+3 · Firefox+3

Jordi Chancel

Published

2016-03-08

Updated

2024-12-12

CVE-2016-1967

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 45.0

Description The issue is related to an incomplete restriction of IFRAME Resource Timing API times, allowing remote attackers to bypass the Same Origin Policy and obtain sensitive information. This can be achieved through crafted JavaScript code that leverages history.back and performance.getEntries calls after restoring a browser session.

Recommendations For versions prior to 45.0, update to version 45.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of IFRAME elements and limiting access to the performance.getEntries function until a patch is applied. Avoid using the history.back function in conjunction with performance.getEntries calls after restoring a browser session to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2016-1277

ALT-PU-2016-1454

BDU:2016-00751

CVE-2016-1967

OPENSUSE-SU-2016_0731-1

OPENSUSE-SU-2016_0733-1

OPENSUSE-SU-2024:10071-1

OPENSUSE-SU-2024:14572-1

USN-2917-1

USN-2917-2

USN-2917-3

Affected Products

Alt Linux

Firefox

Suse

Ubuntu

PT-2016-1450 · Mozilla+3 · Firefox+3

CVE-2016-1967

Weakness Enumeration

Related Identifiers

Affected Products

References · 2116