Mozilla released Firefox version 16 to the public and within a day the browser had to be pulled from the Web over security concerns. According to Mozilla, the vulnerability could allow a malicious website to capture Web history, which could lead to certain hacker activity.
Below is an explanation from Tal Be'ery, Web Researcher at Imperva of the vulnerability and how it works:
A “proof of concept” exploit for the vulnerability exists:
* A user browses to the attacker site.
* That attacker opens a new window in Twitter from attacker site.
* If the victim is signed in to twitter, then the user gets redirected to a URL that contains a personal twitter ID.
* The attacker can now query the new window on the URL and obtain the victim’s personal twitter ID.
On previous versions of Firefox, this attack would fail. However, there was a regression in Firefox 16 that allowed this attack to work.