Mozilla Foundation Security Advisory 2015-135
Crash with JavaScript variable assignment with unboxed objects
- Announced
- December 15, 2015
- Reporter
- Cajus Pollmeier
- Impact
- High
- Products
- Firefox
- Fixed in
- 
        - Firefox 43
 
Description
Security researcher Cajus Pollmeier reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash when triggered by JavaScript content as well as leading to errors on some websites.
This crash was caused by a change to the JavaScript engine was first shipped in Firefox 41. Earlier versions of Firefox are unaffected by this problem, including Firefox ESR 38.