Fedora Account System
Red Hat Associate
Red Hat Customer
Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery (CSRF) or information theft via an add-on running untrusted code in a sandbox. External Reference: http://www.mozilla.org/security/announce/2012/mfsa2012-97.html Acknowledgements: Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Gabor Krizsanits as the original reporter. Statement: This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5 and 6