DEBIAN-CVE-2016-1949

DEBIAN-CVE-2016-1949 PUBLISHED CVSS 8.800000190734863 HIGH

Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.

Risk Scores

CVSS v3.0

8.800000190734863

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:13	firefox-esr	0, 0, 0
Debian:11	firefox-esr	0, 0, 0
Debian:14	firefox-esr	0, 0, 0
Debian:12	firefox-esr	0, 0, 0

Timeline

Feb 13, 2016 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2016-1949 advisory

Open in Interactive Console →