Bug 1152366 (CVE-2014-1585, CVE-2014-1586) - CVE-2014-1585 CVE-2014-1586 Mozilla: Inconsistent video sharing within iframe (MFSA 2014-81)
Summary: CVE-2014-1585 CVE-2014-1586 Mozilla: Inconsistent video sharing within iframe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-1585, CVE-2014-1586
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1144388
TreeView+ depends on / blocked
 
Reported: 2014-10-14 02:32 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-05-12 05:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-10 21:22:27 UTC
Embargoed:


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2014-10-14 02:32:05 UTC
Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video sharing using WebRTC. Once video sharing has started within a WebRTC session running within an <iframe>, video will continue to be shared even if the user selects the "e;Stop Sharing" button in the controls. The camera will also remain on even if the user navigates to another site and will begin streaming again if the user returns to the original site. This is a privacy problem and can lead to inadvertent video streaming. This does not affect implementations that are not within an <iframe>.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.


External Reference:

http://www.mozilla.org/security/announce/2014/mfsa2014-81.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Eric Shepherd and Jan-Ivar Bruaroey as the original reporter.


Note You need to log in before you can comment on or make changes to this bug.