CVE-2022-22760 - How Firefox Leaked Cross-Origin Resource Information via Web Workers

In early 2022, Mozilla patched a subtle yet impactful security flaw that affected Firefox, Firefox ESR, and Thunderbird. Tracked as CVE-2022-22760, this vulnerability exposed a way for attackers to infer information about cross-origin resources—resources coming from a different domain—using nothing but careful error handling inside Web Workers.

In this article, I'll break down how this issue worked, show you example code, and explain why patching it was so important.

What’s The Vulnerability?

When a website uses a Web Worker (a background script running in browsers), it can try to import external resources with importScripts(). If you try to load a resource from another domain (cross-origin), browsers enforce strict security rules.

But—here’s the catch—Firefox used slightly different error messages depending on the response type:

- If the resource returned Content-Type: application/javascript, the error said one thing.

If it returned something else (like an image or plain text), you got a different message.

This let attackers guess, just by reading the error, what type of file was at that URL, even when the browser’s same-origin policy was supposed to hide that information.

A Real Example

Suppose you have a private site at https://victim.com/secret.js that only some users can access. An attacker, running code in the browser (but from their own site!), *shouldn’t* be able to tell what’s at that URL.

However, with CVE-2022-22760, they could run this

// In a main page on attacker.com:
const worker = new Worker('worker.js');
worker.onmessage = e => {
  console.log('Worker error:', e.data);
};

// worker.js
try {
  // Try to import a script from a cross-origin URL
  importScripts('https://victim.com/secret.js');
  postMessage('Import succeeded!');
} catch (err) {
  // Leak the actual error message to the main page
  postMessage(err.message);
}

Depending on whether the response from https://victim.com/secret.js was application/javascript or something else, the error’s text changes. The main page then learns what kind of resource is at the secret URL, purely by observing error differences.

Why Does This Matter?

Browsers enforce the same-origin policy to keep data siloed. Even small leaks—like error messages varying based on hidden data—can be chained in attacks.

Fingerprinting: Knowing resource types lets attackers map out another site’s files.

- Guessing private files: If URLs are predictable (like /user1234/private.js), you can scan for them.

CVE-2022-22760 impacted

- Firefox < 97
- Thunderbird < 91.6
- Firefox ESR < 91.6

How Was It Fixed?

Mozilla changed their error reporting to always return the *same* message, no matter the content type of the cross-origin response. Now, you can’t tell what’s behind a forbidden resource—you just get a generic failure.

You can see the bug ticket here and the Mozilla release notes:

- MFSA 2022-05 (Firefox 97)
- MFSA 2022-06 (ESR 91.6)

CVE-2022-22760 let attackers infer resource *type* via worker script import error differences.

- If you’re on an old Firefox/Thunderbird, update now.

More Reading

- Mozilla Foundation Security Advisory 2022-05
- Mozilla Bug #1748923
- What is a Web Worker? (MDN)
- importScripts() docs

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 14:03:00 UTC