A same-origin policy violation allowing the theft of cross-origin URL entries when using a `<meta> meta http-equiv="refresh"` on a page to cause a redirection to another site using `performance.getEntries()`. This is a same-origin policy violation and could allow for data theft. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-18499
Acknowledgments: Name: the Mozilla project Upstream: James Lee (Kryptos Logic)
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-18499