====================================================================

                               CERT-Renater

                   Note d'Information No. 2016/VULN401
_____________________________________________________________________

DATE                : 29/11/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Firefox versions 49, 50 prior to
                                         50.0.1.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/
____________________________________________________________________

Mozilla Foundation Security Advisory 2016-91

Security vulnerabilities fixed in Firefox 50.0.1

Announced     November 28, 2016
Products      Firefox
Fixed in      Firefox 50.0.1

#CVE-2016-9078: data: URL can inherit wrong origin after an HTTP
                       redirect

Reporter
     Alexander Inführ

Impact
     critical


Description

Redirection from an HTTP connection to a data: URL assigns the
referring site's origin to the data: URL in some circumstances. This
can result in same-origin violations against a domain if it loads
resources from malicious sites. Cross-origin setting of cookies has
been demonstrated without the ability to read them.


Note: This issue only affects Firefox 49 and 50.


References

     Bug 1317641


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================