HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Mozilla is asking all Firefox users to upgrade immediately to version 39.0.3.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the same origin policy) and Firefoxs PDF Viewer. Mozilla products that dont contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the same origin policy) and Firefoxs PDF Viewer. Mozilla products that dont contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.