Mozilla engineer Mark Goodwin discovered that the Firefox Health Report (about:healthreport) accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, this content could change the sharing preferences of a user by firing the appropriate events at its containing page. External Reference: https://www.mozilla.org/security/announce/2016/mfsa2016-48.html
Acknowledgments: Name: the Mozilla project Upstream: Mark Goodwin