Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-1483

Source

Mozilla Foundation Security Advisory 2014-05

Information disclosure with *FromPoint on iframes

Announced

February 4, 2014

Reporter

Jordan Milne

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 27
SeaMonkey 2.24

Description

Security researcher Jordan Milne reported an information leak where document.caretPositionFromPoint and document.elementFromPoint functions could be used on a cross-origin iframe to gain information on the iframe's DOM and other attributes through a timing attack, violating same-origin policy.

In general this flaw cannot be exploited through email in the Seamonkey product because scripting is disabled in mail, but is potentially a risk in browser or browser-like contexts.

References

caretPositionFromPoint and elementFromPoint leak information about iframe contents via timing information (CVE-2014-1483)

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Information disclosure with *FromPoint on iframes

Information disclosure with *FromPoint on iframes

Description

References

Vulmon Search

About

Products

Connect