Endpoint Vulnerability

Same origin violation and local file stealing via PDF reader

Description

Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer.

Affected Products

Firefox ESR

References

CVE-2015-4495,