Use-after-free vulnerability in the CSPService::ShouldLoad function in the microtask implementation in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allows remote attackers to execute arbitrary code by leveraging client-side JavaScript that triggers removal of a DOM object on the basis of a Content Policy.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Firefox | Mozilla | * | 38.1.0 (including) |
| Firefox | Ubuntu | devel | * |
| Firefox | Ubuntu | precise | * |
| Firefox | Ubuntu | trusty | * |
| Firefox | Ubuntu | upstream | * |
| Firefox | Ubuntu | utopic | * |
| Firefox | Ubuntu | vivid | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | precise | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | utopic | * |
| Thunderbird | Ubuntu | vivid | * |
| Red Hat Enterprise Linux 5 | RedHat | firefox-0:38.1.0-1.el5_11 | * |
| Red Hat Enterprise Linux 5 | RedHat | thunderbird-0:31.8.0-1.el5_11 | * |
| Red Hat Enterprise Linux 6 | RedHat | firefox-0:38.1.0-1.el6_6 | * |
| Red Hat Enterprise Linux 6 | RedHat | thunderbird-0:31.8.0-1.el6_6 | * |
| Red Hat Enterprise Linux 7 | RedHat | firefox-0:38.1.0-1.ael7b_1 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:31.8.0-1.el7_1 | * |