Endpoint Vulnerability

Privilege escalation through Web Notification API

Description

Security researcher Mariusz Mlynski discovered an issue where sites that have been given notification permissions by a user can bypass security checks on source components for the Web Notification API. This allows for script to be run in a privileged context through notifications, leading to arbitrary code execution on these sites.

Affected Products

Thunderbird

References

CVE-2014-1529,