Bugzilla – Bug 966438
VUL-0: CVE-2016-1949: MozillaFirefox: MFSA2016-13: Same-origin-policy violation using Service Workers with plugins
Last modified: 2020-04-05 18:20:38 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/ Same-origin-policy violation using Service Workers with plugins Announced: February 11, 2016 Reporter: Jason Pang Impact: Critical Products: Firefox Fixed in: Firefox 44.0.2 Description: Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin. References: NPAPI-initiated network requests can be intercepted by service workers breaking plugin origin expectations (CVE-2016-1949) References: https://bugzilla.redhat.com/show_bug.cgi?id=1306856 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1949 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1949.html
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (966438) was mentioned in https://build.opensuse.org/request/show/359592 13.1 / MozillaFirefox
releasing update
openSUSE-SU-2016:0489-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 966438 CVE References: CVE-2016-1949 Sources used: openSUSE Leap 42.1 (src): MozillaFirefox-44.0.2-15.2 openSUSE 13.2 (src): MozillaFirefox-44.0.2-62.1
Firefox 38.x ESR isnot affected by this one (it is by bug 965810 though)
openSUSE-SU-2016:0553-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 966438 CVE References: CVE-2016-1949 Sources used: openSUSE 13.1 (src): MozillaFirefox-44.0.2-106.1
This is an autogenerated message for OBS integration: This bug (966438) was mentioned in https://build.opensuse.org/request/show/362048 Factory / MozillaFirefox