A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because `addons.mozilla.org` and `accounts.firefox.com` have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process.
Name: the Mozilla project
Upstream: Niklas Baumstark via TrendMicro's Zero Day Initiative
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):