cbcvebase.
CVE-2015-0802
published 2015-04-01

CVE-2015-0802: Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow…

PriorityP353medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
67.47%
99.2th percentile
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.

Affected

7 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
mozillafirefox<= 36.0.4
mozillafirefox>= 0 < 37.0+build2-0ubuntu0.14.04.137.0+build2-0ubuntu0.14.04.1
opensuseopensuse
opensuseopensuse

Detection & IOCsextracted from sources · hover to see the quote

urlchrome://browser/content/browser.xul
urldata:application/pdf,
urldata:application/xml,
commandq.messageManager.loadFrameScript('data:,'+key, false);
  • Exploit targets Firefox versions 35–36 specifically; browser UA version checks between 35 and 36 are a key fingerprint used by the exploit delivery logic.
  • Exploit requires user click interaction to trigger; monitor for suspicious iframe injection of data:application/pdf and data:application/xml URIs combined with PDF.js loading in Firefox 35–36.
  • Exploit abuses resource:// URIs for privilege escalation via PDF.js; monitor for resource:// URI access originating from web content contexts in Firefox.
  • Exploit uses messageManager.loadFrameScript with a data: URI to inject privileged JavaScript into the chrome window; detect calls to loadFrameScript with data: scheme arguments from unprivileged content.
  • Exploit navigates a privileged chrome:// window to attacker-controlled content to escalate privileges; monitor for navigation of chrome:// windows to non-chrome origins.
  • Exploit uses view-source: scheme combined with object element data attribute manipulation as part of sandbox context acquisition; monitor for object elements switching from data:application/pdf to view-source: URIs.
  • Exploit uses setInterval polling (every 20ms) to detect sandboxContext availability before launching chrome:// navigation; this tight polling loop on window properties may be detectable via browser instrumentation.
  • CVE-2015-0802 is chained with CVE-2015-0816 (PDF.js can load chrome:// URIs); detections should consider both CVEs together when triaging Firefox 35–36 exploitation attempts.
  • ·CVE-2015-0802 alone does not enable privilege escalation; it requires a separate flaw (such as CVE-2015-0816) to allow web content to obtain a reference to a privileged window before this vulnerability can be exploited.
  • ·Red Hat Enterprise Linux 5, 6, and 7 shipped versions of Firefox and Thunderbird are confirmed not affected by this CVE; detections targeting RHEL environments should be scoped accordingly.
  • ·The Metasploit module targets Firefox 35–36 for the combined CVE-2015-0816 + CVE-2015-0802 chain; Firefox 37+ is patched and the exploit's UA version gate will not fire against it.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.