CVE-2015-7215 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

5.0MEDIUMNVD

OSV10.0

EPSS

0.4%

top 36.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Fedoraproject Fedora Opensuse Leap +1 more

Timeline

PublishedDec 16

Latest updateMay 14

Description

The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶Ubuntumozilla/firefox< 43.0+build1-0ubuntu0.14.04.1

▶NVDmozilla/firefox42.0

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.1, 13.2+1

Also affects: Fedora 22, 23

🔴Vulnerability Details

GHSA

GHSA-x63v-c8hj-q3pw: The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43↗2022-05-14

▶

OSV

CVE-2015-7215: The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43↗2015-12-15

▶

OSV

firefox vulnerabilities↗2015-12-15

▶

📋Vendor Advisories

Red Hat

Mozilla: Cross-origin information leak through web workers error events (MFSA 2015-140)↗2015-12-16

▶

Ubuntu

Firefox vulnerabilities↗2015-12-15

▶

💬Community

Bugzilla

CVE-2015-7215 Mozilla: Cross-origin information leak through web workers error events (MFSA 2015-140)↗2015-12-15

▶