The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.
Recent assessments:
gwillcox-r7 at November 23, 2020 6:04pm UTC reported:
Reported as exploited in the wild as part of Googleβs 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.html
lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.html
lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html
lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html
rhn.redhat.com/errata/RHSA-2015-1581.html
www.mozilla.org/security/announce/2015/mfsa2015-78.html
www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
www.securityfocus.com/bid/76249
www.securitytracker.com/id/1033216
www.ubuntu.com/usn/USN-2707-1
blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild
bugzilla.mozilla.org/show_bug.cgi?id=1178058
bugzilla.mozilla.org/show_bug.cgi?id=1179262
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495
security.gentoo.org/glsa/201512-10
www.exploit-db.com/exploits/37772