The issue exists because of how code>performance.getEntries()/code> handles cross-origin requests. When a cross-origin request is made, the JavaScript entry function is called directly (without going through the browser’s event system), which could be exploited if the code contains a security issue. This would allow the execution of arbitrary code in the context of the current web page.
A same-origin policy violation could have allowed the theft of cross-origin URL entries via code>performance.getEntries()/code>. This issue affects Thunderbird 102.4, Firefox ESR 102.4, and Firefox 106. The issue resides in the way code>performance.getEntries()/code> handles cross-origin requests. When a cross-origin request is made, the JavaScript entry function is called directly (without going through the browser’s event system), which could be exploited if the code contains a security issue. This would allow the execution of arbitrary code in the context of the current web page. A same-origin policy violation could have allowed the theft of cross-origin URL entries via code>performance.getEntries()/code>. This issue affects Thunderbird 102.4, Firefox ESR 102.4, and Firefox 106. The issue resides in the way code>performance.getEntries()/code> handles cross-origin requests. When a cross-origin
Affected packages
Affected packages: Thunderbird 102.4, Firefox ESR 102.4, Firefox 106.
Solution
The following code can be used to avoid this issue:
var e = document.createEvent('Event');
e.initEvent('URLRequestError', false);
e.preventDefault();
How did we find this issue?
A cross-origin request is a type of HTTP request that originates from one domain and is sent to an endpoint on a different domain.
One such example would be if you were connected to facebook.com via https://www.facebook.com/ and then you tried to access www.facebook.com via the following link:
https://www.facebook.com/
The issue was found by users during fuzzing, which is the process of running automated tests on a codebase for security purposes in order to discover vulnerabilities in it more quickly and efficiently than manual testing can do.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:55:00 UTC