The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Debian_linux | Debian | 7.0 (including) | 7.0 (including) |
| Debian_linux | Debian | 8.0 (including) | 8.0 (including) |
| Debian_linux | Debian | 9.0 (including) | 9.0 (including) |
| Red Hat Enterprise Linux 6 | RedHat | firefox-0:52.5.0-1.el6_9 | * |
| Red Hat Enterprise Linux 6 | RedHat | thunderbird-0:52.5.0-1.el6_9 | * |
| Red Hat Enterprise Linux 7 | RedHat | firefox-0:52.5.0-1.el7_4 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:52.5.0-1.el7_4 | * |
| Firefox | Ubuntu | artful | * |
| Firefox | Ubuntu | bionic | * |
| Firefox | Ubuntu | devel | * |
| Firefox | Ubuntu | trusty | * |
| Firefox | Ubuntu | upstream | * |
| Firefox | Ubuntu | xenial | * |
| Firefox | Ubuntu | zesty | * |
| Thunderbird | Ubuntu | artful | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | xenial | * |
| Thunderbird | Ubuntu | zesty | * |
References
- http://www.securityfocus.com/bid/101832
- http://www.securitytracker.com/id/1039803
- https://access.redhat.com/errata/RHSA-2017:3247
- https://access.redhat.com/errata/RHSA-2017:3372
- https://bugzilla.mozilla.org/show_bug.cgi?id=1408990
- https://lists.debian.org/debian-lts-announce/2017/11/msg00018.html
- https://lists.debian.org/debian-lts-announce/2017/12/msg00001.html
- https://www.debian.org/security/2017/dsa-4035
- https://www.debian.org/security/2017/dsa-4061
- https://www.debian.org/security/2017/dsa-4075
- https://www.mozilla.org/security/advisories/mfsa2017-24/
- https://www.mozilla.org/security/advisories/mfsa2017-25/
- https://www.mozilla.org/security/advisories/mfsa2017-26/
- http://www.securityfocus.com/bid/101832
- http://www.securitytracker.com/id/1039803
- https://access.redhat.com/errata/RHSA-2017:3247
- https://access.redhat.com/errata/RHSA-2017:3372
- https://bugzilla.mozilla.org/show_bug.cgi?id=1408990
- https://lists.debian.org/debian-lts-announce/2017/11/msg00018.html
- https://lists.debian.org/debian-lts-announce/2017/12/msg00001.html
- https://www.debian.org/security/2017/dsa-4035
- https://www.debian.org/security/2017/dsa-4061
- https://www.debian.org/security/2017/dsa-4075
- https://www.mozilla.org/security/advisories/mfsa2017-24/
- https://www.mozilla.org/security/advisories/mfsa2017-25/
- https://www.mozilla.org/security/advisories/mfsa2017-26/