Vigil@nce - Firefox: information disclosure via fetch
December 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the fetch() function in a web site, in order
to obtain sensitive information belonging to another site.
Impacted products: Fedora, Firefox, openSUSE, Ubuntu.
Severity: 2/4.
Creation date: 16/10/2015.
DESCRIPTION OF THE VULNERABILITY
The CORS (Cross-Origin Resource Sharing) specification defines
rules to share resources between domains, such as fonts.
The function fetch() downloads documents. However, as it does not
honor CORS, an attacker can bypass access restrictions to data.
An attacker can therefore use the fetch() function in a web site,
in order to obtain sensitive information belonging to another site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Firefox-information-disclosure-via-fetch-18117