CVE-2015-0816 Information

Description

Mozilla Firefox before 37.0 Firefox ESR 31.x before 31.6 and Thunderbird before 31.6 do not properly restrict resource: URLs which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy as demonstrated by the resource: URL associated with PDF.js.

Reference

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html http://rhn.redhat.com/errata/RHSA-2015-0766.html http://rhn.redhat.com/errata/RHSA-2015-0771.html http://www.debian.org/security/2015/dsa-3211 http://www.debian.org/security/2015/dsa-3212 http://www.mozilla.org/security/announce/2015/mfsa2015-33.html http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html http://www.securityfocus.com/bid/73461 http://www.securitytracker.com/id/1031996 http://www.securitytracker.com/id/1032000 http://www.ubuntu.com/usn/USN-2550-1 http://www.ubuntu.com/usn/USN-2552-1 https://bugzilla.mozilla.org/show_bug.cgi?id=1144991 https://security.gentoo.org/glsa/201512-10 https://www.exploit-db.com/exploits/37958/