The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Debian_linux | Debian | 7.0 (including) | 7.0 (including) |
| Debian_linux | Debian | 8.0 (including) | 8.0 (including) |
| Debian_linux | Debian | 9.0 (including) | 9.0 (including) |
| Red Hat Enterprise Linux 6 | RedHat | firefox-0:52.5.0-1.el6_9 | * |
| Red Hat Enterprise Linux 6 | RedHat | thunderbird-0:52.5.0-1.el6_9 | * |
| Red Hat Enterprise Linux 7 | RedHat | firefox-0:52.5.0-1.el7_4 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:52.5.0-1.el7_4 | * |
| Firefox | Ubuntu | artful | * |
| Firefox | Ubuntu | bionic | * |
| Firefox | Ubuntu | devel | * |
| Firefox | Ubuntu | trusty | * |
| Firefox | Ubuntu | upstream | * |
| Firefox | Ubuntu | xenial | * |
| Firefox | Ubuntu | zesty | * |
| Thunderbird | Ubuntu | artful | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | xenial | * |
| Thunderbird | Ubuntu | zesty | * |