Description
The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, and Desktop Firefox pre-release, does not properly handle privileged URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201512-10
Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2015/mfsa2015-43.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032029
Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1147597
Scores
EPSS
0.0146
EPSS Percentile
81.2%
Details
CWE
CWE-264
Status
published
Products (2)
mozilla/firefox
< 37.0
oracle/solaris
11.3
Published
Apr 08, 2015
Tracked Since
Feb 18, 2026