Mozilla Foundation Security Advisory 2016-81

Information disclosure and local file manipulation through drag and drop

Announced

August 2, 2016

Reporter

Rafael Gieschke

Impact

Moderate

Products

Firefox

Fixed in

Firefox 48

Description

Security researcher Rafael Gieschke reported that file URIs dragged from a web page in Firefox to other software do not have their contents properly filtered before being passed to other programs, such as the local file manager. This can allow for the theft or manipulation of arbitrary local files if a user can be convinced to drag items from a malicious web page to other programs.

References

Outgoing dataTransfer items are not filtered (CVE-2016-5266)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-81

Information disclosure and local file manipulation through drag and drop

Description

References