Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Download Firefox ESR 64-bit

Download Firefox ESR 32-bit

Download a different build

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Download Firefox ESR
Firefox Privacy Notice
Get Mozilla VPN

Mozilla Foundation Security Advisory 2015-43

Loading privileged content through Reader mode

Announced
April 3, 2015
Reporter
Armin Ebert
Impact
High
Products
Firefox
Fixed in
  • Firefox 37.0.1

Description

Security researcher Armin Ebert reported a flaw in Reader mode on Firefox for Android. Reader mode reformats web content for easy readability and operates as unprivileged content that is the equivalent of the formatted content. When Reader mode is unable to process content, it displays the original web pages. Since it is unprivileged, there are no restrictions on pages linking to or framing Reader mode content. The reported flaw is that privileged URLs can be passed to Reader mode and bypass the normal restrictions that prevent web pages from obtaining references to privileged contexts. If this issue was combined with another flaw that allowed for a violation of the same-origin policy, then the resulting combination could lead to arbitrary code execution.

This flaw only affects Firefox for Android and pre-release versions of Desktop Firefox. The released version of desktop Firefox does not have reader mode and is not affected.

References