High severity7.5NVD Advisory· Published Jun 11, 2018· Updated Jun 17, 2026
CVE-2016-9902
CVE-2016-9902
Description
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
26- Range: <45.6, <50.1
- osv-coords23 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Manager%202.1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Manager%20Proxy%202.1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%205
< 128.5.1-1.1+ 22 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 50.1.0-1.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-66.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-96.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-62.1
- (no CPE)range: < 45.6.0esr-62.1
unspecified+ 1 more
- (no CPE)range: unspecified
- (no CPE)range: unspecified
Patches
Vulnerability mechanics
References
8- bugzilla.mozilla.org/show_bug.cginvdExploitIssue TrackingPatch
- rhn.redhat.com/errata/RHSA-2016-2946.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-2973.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/94885nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1037461nvdThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201701-15nvdThird Party Advisory
- www.mozilla.org/security/advisories/mfsa2016-94/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2016-95/nvdVendor Advisory
News mentions
0No linked articles in our index yet.