The content security policy (CSP) sandbox directive did not create a unique origin for the document, causing it to behave as if the allow-same-origin keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7823
Acknowledgments: Name: the Mozilla project Upstream: Jun Kokatsu
Public now via upstream advisories: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/ https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:2831 https://access.redhat.com/errata/RHSA-2017:2831
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:2885 https://access.redhat.com/errata/RHSA-2017:2885