The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted extension that accesses a (1) javascript: or (2) data: URL.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mozilla
Published: 2016-04-30T17:00:00
Updated: 2017-06-30T16:57:01
Reserved: 2016-03-01T00:00:00
Link: CVE-2016-2817
JSON object: View
NVD Information
Status : Modified
Published: 2016-04-30T17:59:14.647
Modified: 2017-07-01T01:29:40.937
Link: CVE-2016-2817
JSON object: View
Redhat Information
No data.
CWE