CVE-2015-7207

Description

Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a related issue to CVE-2015-1300.

CVSS Metrics

• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.44%• Percentile: 63%

Techniques & Countermeasures

• CWE-200•Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

• fedoraproject•fedora

  22 | 23

• mozilla•firefox

  ≤ 42.0

• opensuse•leap

  42.1

• opensuse•opensuse

  13.1 | 13.2

References (14)

• http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html
• https://security.gentoo.org/glsa/201512-10
• http://lists.opensuse.org/opensuse-updates/2015-12/msg00104.html
• http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html
• https://bugzilla.mozilla.org/show_bug.cgi?id=1185256
• https://github.com/w3c/resource-timing/issues/29
• http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174253.html
• http://www.ubuntu.com/usn/USN-2833-1
• http://www.securityfocus.com/bid/79280
• http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
• http://www.mozilla.org/security/announce/2015/mfsa2015-136.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174083.html
• http://www.securitytracker.com/id/1034426