CVE-2018-18494 (NVD)

2019-02-28

A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64.

Products Ubuntu_linux, Debian_linux, Firefox, Firefox_esr, Thunderbird, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation
Type Origin Validation Error (CWE-346)
First patch - None (likely due to unavailable code)
Links https://bugzilla.mozilla.org/show_bug.cgi?id=1487964
https://usn.ubuntu.com/3868-1/
https://www.mozilla.org/security/advisories/mfsa2018-29/
https://security.gentoo.org/glsa/201903-04
https://www.mozilla.org/security/advisories/mfsa2018-30/