862309 – (CVE-2014-1481) VUL-0: CVE-2014-1481: Firefox/Seamonkey/Thunderbird: Inconsistent JavaScript handling of access to Window objects

Bug 862309 (CVE-2014-1481) - VUL-0: CVE-2014-1481: Firefox/Seamonkey/Thunderbird: Inconsistent JavaScript handling of access to Window objects

Summary: VUL-0: CVE-2014-1481: Firefox/Seamonkey/Thunderbird: Inconsistent JavaScript...

Status:	RESOLVED FIXED

Alias:	CVE-2014-1481

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Petr Cerny
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-02-05 10:05 UTC by Victor Pereira
Modified:	2014-03-26 09:20 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-02-05 10:05:22 UTC

CVE-2014-1481

Mozilla developer Boris Zbarsky reported an inconsistency with the different JavaScript engines in how JavaScript native getters on window objects are handled by these engines. This inconsistency can lead to different behaviors in JavaScript code, allowing for a potential security issue with window handling by bypassing of some security checks. 

References:
http://www.mozilla.org/security/announce/2014/mfsa2014-13.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1481
https://bugzilla.redhat.com/show_bug.cgi?id=1060952

Comment 1 Swamp Workflow Management 2014-02-05 23:06:00 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2014-03-26 09:20:31 UTC

we meahwile released 24.3ESR and 27 updates