Security researcher Mario Gomes reported that when a previously loaded image on a page is drag and dropped into content after a redirect, the redirected URL is available to scripts. This is a violation of the Fetch specification's defined behavior for "Atomic HTTP redirect handling" which states that redirected URLs are not exposed to any APIs. This can allow for information leakage. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/
Acknowledgements: Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Mario Gomes as the original reporter.
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:1834 https://rhn.redhat.com/errata/RHSA-2015-1834.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:1852 https://rhn.redhat.com/errata/RHSA-2015-1852.html