Security Vulnerabilities fixed in Firefox ESR 24.4

description-logoDescription

Security researcher Mariusz Mlynski, via TippingPoint's Pwn2Own contest, reported that it is possible for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to call window.open(). A second bug allowed the bypassing of the popup-blocker without user interaction. Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution.

affected-products-logoAffected Applications

Firefox ESR

CVE References

CVE-2014-1511 CVE-2014-1510