Upstream Bugzilla fixed the following issue: If an external HTML page contains a <script> element with its src attribute pointing to a buglist in CSV format, some web browsers incorrectly try to parse the CSV file as valid JavaScript code. As the buglist is generated based on the privileges of the user logged into Bugzilla, the external page could collect confidential data contained in the CSV file. This issue was fixed in versions 4.2.16, 4.4.11, and 5.0.2. Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1232785
Created bugzilla tracking bugs for this issue: Affects: fedora-all [bug 1295439]
The update that fixes this issue was published late 2015 (this is update FEDORA-2015-247b517a18, btw). I'm quite confident that this bug can be closed.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.