Mozilla Foundation Security Advisory 2015-140

Cross-origin information leak through web workers error events

Announced

December 15, 2015

Reporter

Masato Kinugawa

Impact

High

Products

Firefox

Fixed in

Firefox 43

Description

Security researcher Masato Kinugawa reported a cross-origin information leak through the error events in web workers. This violates same-origin policy and the leaked information could potentially be used by a malicious party to gather authentication tokens and other data from third-party websites.

This issue affects other browsers as well and is not limited to Mozilla products.

References

Cross-origin information disclosure with error message of Web Workers (CVE-2015-7215)
Throw NetworkError for cross-origin importScripts() exceptions

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-140

Cross-origin information leak through web workers error events

Description

References