When a HTTPS page was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2021-04/#CVE-2020-26976
Acknowledgments: Name: the Mozilla project Upstream: Andrew Sutherland
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0285 https://access.redhat.com/errata/RHSA-2021:0285
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0288 https://access.redhat.com/errata/RHSA-2021:0288
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0289 https://access.redhat.com/errata/RHSA-2021:0289
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0290 https://access.redhat.com/errata/RHSA-2021:0290
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26976
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0297 https://access.redhat.com/errata/RHSA-2021:0297
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0298 https://access.redhat.com/errata/RHSA-2021:0298
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0299 https://access.redhat.com/errata/RHSA-2021:0299
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0397 https://access.redhat.com/errata/RHSA-2021:0397