CVE-2016-1967Sensitive Information Exposure in Firefox

CWE-200Sensitive Information Exposure13 documents7 sources
Severity
6.5MEDIUMNVD
OSV8.8OSV5.0
EPSS
0.4%
top 39.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxDebian Firefox-esr
Timeline
PublishedMar 13
Latest updateMay 17

Description

Mozilla Firefox before 45.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls after restoring a browser session. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-7207.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

Ubuntumozilla/firefox< 45.0+build2-0ubuntu0.14.04.1+2
NVDmozilla/firefox44.0.2
debiandebian/firefox< firefox 45.0-1 (sid)
debiandebian/firefox-esr< firefox 45.0-1 (sid)

🔴Vulnerability Details

5
GHSA
GHSA-697m-2pgc-69m6: Mozilla Firefox before 452022-05-17
OSV
firefox regressions2016-04-19
OSV
firefox regressions2016-04-07
OSV
CVE-2016-1967: Mozilla Firefox before 452016-03-13
OSV
firefox vulnerabilities2016-03-09

📋Vendor Advisories

5
Ubuntu
Firefox regressions2016-04-19
Ubuntu
Firefox regressions2016-04-07
Ubuntu
Firefox vulnerabilities2016-03-09
Red Hat
Mozilla: Same-origin policy violation using perfomance.getEntries and history navigation with session restore (MFSA 2016-29)2016-03-08
Debian
CVE-2016-1967: firefox - Mozilla Firefox before 45.0 does not properly restrict the availability of IFRAM...2016

💬Community

2
Bugzilla
CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text2016-08-30
Bugzilla
CVE-2016-1967 Mozilla: Same-origin policy violation using perfomance.getEntries and history navigation with session restore (MFSA 2016-29)2016-03-08