The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted extension that accesses a (1) javascript: or (2) data: URL.
References
Configurations
History
No history.
Information
Published : 2016-04-30 17:59
Updated : 2024-02-28 15:21
NVD link : CVE-2016-2817
Mitre link : CVE-2016-2817
CVE.ORG link : CVE-2016-2817
JSON object : View
Products Affected
mozilla
- firefox
CWE
CWE-264
Permissions, Privileges, and Access Controls