Mozilla Foundation Security Advisory 2015-132

Mixed content WebSocket policy bypass through workers

Announced
November 3, 2015
Reporter
Ehsan Akhgari
Impact
Moderate
Products
Firefox, Firefox ESR, Thunderbird
Fixed in
  • Firefox 42
  • Firefox ESR 38.4
  • Thunderbird 38.4

Description

Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References