User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160623084759 Steps to reproduce: See: https://www.blackhat.com/us-16/briefings.html#crippling-https-with-unholy-pac I don't know full details, and I haven't tested it, but presumably what's going on is that FindProxyForURL isn't locked down enough. I'm guessing there are two classes of vulnerabilities here: 1. FindProxyForURL is passed full URLs even if they use HTTPS. This directly leaks any sensitive information in the URL to the local network in cleartext. 2. FindProxyForURL is executed in an insufficiently sandboxed context. From the advisory, it sounds like state is shared between FindProxyForURL invocations, allowing malicious PAC scripts to inject code into one tab based on the URL or (for HTTP) contents of another tab. I'm not marking this as a "security" bug because it's already public. If this is already being tracked internally, feel free to close it.
This is a dupe of Bug 1255474, tracked with the security bit enabled still.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1255474
You need to log in before you can comment on or make changes to this bug.