Mozilla Foundation Security Advisory 2016-48

Firefox Health Reports could accept events from untrusted domains

Announced

April 26, 2016

Reporter

Mark Goodwin

Impact

Moderate

Products

Firefox

Fixed in

Firefox 46

Description

Mozilla engineer Mark Goodwin discovered that the Firefox Health Report (about:healthreport) accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, this content could change the sharing preferences of a user by firing the appropriate events at it s containing page.

References

FHR accepts events from untrusted domains (CVE-2016-2820)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-48

Firefox Health Reports could accept events from untrusted domains

Description

References