Endpoint Vulnerability

Mixed content WebSocket policy bypass through workers

Description

Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy.

Affected Products

Thunderbird

References

CVE-2015-7197,