Public Date:
1306856: CVE-2016-1949 firefox: Same-origin-policy violation using Service Workers with plugins

The MITRE CVE dictionary describes this issue as:

Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.

Find out more about CVE-2016-1949 from the MITRE CVE dictionary dictionary and NIST NVD.


This issue does not affect the versions of Firefox shipped with Red Hat Enterprise Linux 5, 6 and 7.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 firefox Not affected
Red Hat Enterprise Linux 6 firefox Not affected
Red Hat Enterprise Linux 5 firefox Not affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation