CVE-2022-42927 A same-origin policy violation could have allowed theft of cross-origin URL entries, leaking the result of a redirect.

The issue exists because of how code>performance.getEntries()/code> handles cross-origin requests. When a cross-origin request is made, the JavaScript entry function is called directly (without going through the browser’s event system), which could be exploited if the code contains a security issue. This would allow the execution of arbitrary code in the context of the current web page.

A same-origin policy violation could have allowed the theft of cross-origin URL entries via code>performance.getEntries()/code>. This issue affects Thunderbird  102.4, Firefox  ESR  102.4, and Firefox  106. The issue resides in the way code>performance.getEntries()/code> handles cross-origin requests. When a cross-origin request is made, the JavaScript entry function is called directly (without going through the browser’s event system), which could be exploited if the code contains a security issue. This would allow the execution of arbitrary code in the context of the current web page. A same-origin policy violation could have allowed the theft of cross-origin URL entries via code>performance.getEntries()/code>. This issue affects Thunderbird  102.4, Firefox ESR  102.4, and Firefox  106. The issue resides in the way code>performance.getEntries()/code> handles cross-origin requests. When a cross-origin

Affected packages

Affected packages: Thunderbird  102.4, Firefox ESR  102.4, Firefox  106.

Solution

The following code can be used to avoid this issue:
var e = document.createEvent('Event');
e.initEvent('URLRequestError', false);
e.preventDefault();

How did we find this issue?

A cross-origin request is a type of HTTP request that originates from one domain and is sent to an endpoint on a different domain.
One such example would be if you were connected to facebook.com via https://www.facebook.com/ and then you tried to access www.facebook.com via the following link:
https://www.facebook.com/
The issue was found by users during fuzzing, which is the process of running automated tests on a codebase for security purposes in order to discover vulnerabilities in it more quickly and efficiently than manual testing can do.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:55:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-46/
• https://www.mozilla.org/security/advisories/mfsa2022-45/
• https://www.mozilla.org/security/advisories/mfsa2022-44/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1789128
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42927