Package Instance

Mozilla developer Boris Zbarsky reported an inconsistency
with the different JavaScript engines in how JavaScript native getters on
window objects are handled by these engines. This inconsistency can
lead to different behaviors in JavaScript code, allowing for a potential
security issue with window handling by bypassing of some security checks. 
In general this flaw cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled in mail, but is
potentially a risk in browser or browser-like contexts.

Security researcher Jordan Milne reported an information
leak where document.caretPositionFromPoint and
document.elementFromPoint functions could be used on a cross-origin
iframe to gain information on the iframe's DOM and other attributes through a
timing attack, violating same-origin policy.

In general this flaw cannot be exploited through email in the
Seamonkey product because scripting is disabled in mail, but is potentially a
risk in browser or browser-like contexts.

Fredrik 'Flonka' Lönnqvist discovered an issue with image
decoding in RasterImage caused by continued use of discarded
images. This could allow for the writing to unowned memory and a potentially
exploitable crash.
In general this flaw cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled in mail, but is
potentially a risk in browser or browser-like contexts.

Mozilla developers and community identified identified and fixed several
memory safety bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of these
could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.

Mozilla developer Brian Smith and security researchers
Antoine Delignat-Lavaud and Karthikeyan
Bhargavan of the Prosecco research team at INRIA Paris reported issues
with ticket handling in the Network Security Services (NSS) libraries. These
have been addressed in the NSS 3.15.4 release, shipping on affected platforms.

Mozilla security engineer Frederik Braun reported an issue
where the implementation of Content Security Policy (CSP) is not in compliance
with the specification. XSLT stylesheets
must be subject to script-src directives but Mozilla's
implementation of CSP treats them as styles. This could lead to unexpected
script execution if the style-src directives were less restrictive
than those for scripts.
In general this flaw cannot be exploited through email in the
Seamonkey product because scripting is disabled in mail, but is potentially a
risk in browser or browser-like contexts.

Soeren Balko reported a crash when
terminating a web worker running asm.js code after passing an
object between threads. This crash is potentially exploitable.
In general this flaw cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled in mail, but is
potentially a risk in browser or browser-like contexts.

Security researcher Cody Crews reported a method to bypass
System Only Wrappers (SOW) by using XML Binding Language (XBL) content scopes to
clone protected XUL elements. This could be used to clone anonymous nodes,
making trusted XUL content web accessible.
In general this flaw cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled in mail, but is
potentially a risk in browser or browser-like contexts.

Mozilla developer Roee Hay reported that Firefox for
Android profile paths leak to the Android system log. When running on Android
4.2 or earlier, other applications are able to read these log files, leading to
information disclosure from the user's profile directory. This issue was also
independently reported by Mozilla developer Richard Newman.

Security researcher Arthur Gerkis, via TippingPoint's Zero
Day Initiative, reported a use-after-free during image processing from sites
with specific content types in concert with the imgRequestProxy
function. This causes a potentially exploitable crash. 
In general this flaw cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled in mail, but is
potentially a risk in browser or browser-like contexts.

Security researcher Jordi Chancel reported that the dialog
for saving downloaded files did not implement a security timeout before button
selections were processed. This could be used in concert with spoofing to
convince users to select a different option than intended, causing downloaded
files to be potentially opened instead of only saved in some circumstances.
In general this flaw cannot be exploited through email in the
Seamonkey product because scripting is disabled in mail, but is potentially a
risk in browser or browser-like contexts.

Yazan Tommalieh discovered a flaw that once users have
viewed the default Firefox start page (about:home), subsequent pages they
navigate to in that same tab could use script to activate the buttons that were
on the about:home page. Most of these simply open Firefox dialogs such as
Settings or History, which might alarm users. In some cases a malicious page
could trigger session restore and cause data loss if the current tabs are
replaced by a previously stored set.

Security researcher Masato Kinugawa reported a cross-origin
information leak through web workers' error messages. This violates same-origin
policy and the leaked information could potentially be used to gather
authentication tokens and other data from third-party websites. 
In general this flaw cannot be exploited through email in the
Thunderbird and Seamonkey products because scripting is disabled in mail, but is
potentially a risk in browser or browser-like contexts.