CVE-2015-7207 — Sensitive Information Exposure in Firefox
Severity
6.5MEDIUMNVD
NVD5.0OSV10.0OSV5.0
EPSS
0.4%
top 36.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 16
Latest updateJan 9
Description
Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a related issue to CVE-2015-1300.
CVSS vector
AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9
Affected Packages7 packages
Also affects: Fedora 22, 23
🔴Vulnerability Details
5📋Vendor Advisories
6Microsoft▶
Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provide↗2024-01-09
Red Hat▶
Mozilla: Same-origin policy violation using perfomance.getEntries and history navigation with session restore (MFSA 2016-29)↗2016-03-08
Debian▶
CVE-2016-1967: firefox - Mozilla Firefox before 45.0 does not properly restrict the availability of IFRAM...↗2016
Red Hat▶
Mozilla: Same-origin policy violation using perfomance.getEntries and history navigation (MFSA 2015-136)↗2015-12-16
💬Community
1Bugzilla▶
CVE-2015-7207 Mozilla: Same-origin policy violation using perfomance.getEntries and history navigation (MFSA 2015-136)↗2015-12-15