KLA10642 Obtain sensitive information vulnerability in Mozilla Firefox and Firefox ESR

An unspecified vulnerability was found in Mozilla Firefox. By exploiting this vulnerability malicious users can obtain sensitive information. This vulnerability can be exploited remotely via vectors related ti PDF viewer.

Technical details

There are way to bypass same origin policy and inject script into a non-privileged part of the PDF Viewer. In case of exploitation malicious can steal sensitive local files (potentially private ssh keys and some popular config files). Some of people who using adblock may have been protected.

Original advisories

Mozilla advisory

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Mozilla-Firefox

Mozilla-Firefox-ESR

CVE list

CVE-2015-4495 warning

Solution

Update to the latest version and keep watch your passwords and configurations

Get Mozilla Firefox

Impacts

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• RLF

Read Local Files. Exploitation of vulnerabilities with this impact can lead to reading some inaccessible files. Files that can be read depends on conсrete program errors.

Affected Products

• Mozilla Firefox versions earlier than 39.0.3Mozilla Firefox ESR versions earlier than 38.1.1