#VU48460 Origin validation error in Mozilla Firefox and Firefox ESR

Published: 2021-01-11

Vulnerability identifier: #VU48460

Vulnerability risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-16012


Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox ESR
Client/Desktop applications / Web browsers

Vendor: Mozilla


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way browser handles requests to cross-origin images. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function takes a variable amount of time depending on the content of the underlying image. This results in cross-origin information exposure of image content through timing side-channel attacks.

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 60.0 - 82.0.3

Firefox ESR: 78.0 - 78.4.1, 68.0 - 68.12.0, 60.0 - 60.9.0

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability