CVE-2022-42927 Overview
CVE-2022-42927 is a same-origin policy violation vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. The flaw allows malicious actors to steal cross-origin URL entries by exploiting the performance.getEntries() API, effectively leaking the result of HTTP redirects. This vulnerability undermines one of the fundamental security mechanisms of web browsers—the same-origin policy—which is designed to prevent scripts from one origin from accessing data belonging to another origin.
Critical Impact
Attackers can exploit this vulnerability to steal sensitive cross-origin URL information, including redirect destinations, potentially exposing authentication tokens, session identifiers, or other sensitive data embedded in URLs.
Affected Products
- Mozilla Firefox versions prior to 106
- Mozilla Firefox ESR versions prior to 102.4
- Mozilla Thunderbird versions prior to 102.4
Discovery Timeline
- 2022-12-22 - CVE-2022-42927 published to NVD
- 2025-04-15 - Last updated in NVD database
Technical Details for CVE-2022-42927
Vulnerability Analysis
The vulnerability resides in the implementation of the Performance Timeline API, specifically the performance.getEntries() method. Under normal circumstances, this API should only return performance timing data for resources loaded within the same origin. However, due to improper origin validation, an attacker-controlled page could access performance entries for cross-origin resources, including the final URLs of redirects.
When a browser follows an HTTP redirect (3xx status codes), the final destination URL may contain sensitive information. The same-origin policy should prevent unauthorized access to this information. This vulnerability bypasses that protection by allowing the performance.getEntries() method to return data about cross-origin redirects that should be restricted.
Root Cause
The root cause of CVE-2022-42927 is classified as CWE-346 (Origin Validation Error). The browser's Performance Timeline implementation failed to properly validate the origin of resources before including them in the performance entries returned by performance.getEntries(). This allowed scripts to access timing and URL information for cross-origin resources, violating the fundamental same-origin security boundary.
Attack Vector
The attack is network-based and requires user interaction, such as visiting a malicious webpage. An attacker would craft a webpage that:
- Triggers requests to cross-origin resources that perform redirects
- Uses the performance.getEntries() API to retrieve performance timing entries
- Extracts the redirect destination URLs from the entries that should be protected by same-origin policy
- Exfiltrates the leaked URL information to an attacker-controlled server
The vulnerability can be exploited to steal sensitive information contained in redirect URLs, such as OAuth tokens, session identifiers, or other authentication parameters that are commonly passed as URL parameters during redirect flows.
Detection Methods for CVE-2022-42927
Indicators of Compromise
- Unusual or excessive calls to performance.getEntries() or performance.getEntriesByType() from web content
- JavaScript attempting to parse and extract URL information from performance entries
- Network traffic showing exfiltration of URL data to external domains
- Web content making numerous cross-origin requests followed by performance API calls
Detection Strategies
- Monitor browser console logs and JavaScript execution for suspicious use of Performance Timeline APIs
- Implement Content Security Policy (CSP) headers to restrict script sources and detect unauthorized script execution
- Review web application logs for unusual patterns of redirect-based authentication flows being targeted
- Deploy endpoint detection tools to identify known exploit patterns targeting browser vulnerabilities
Monitoring Recommendations
- Enable browser telemetry and crash reporting to detect potential exploitation attempts
- Monitor network traffic for patterns consistent with data exfiltration following redirect flows
- Track browser version deployment across the organization to identify unpatched instances
- Implement browser isolation technologies for high-risk browsing activities
How to Mitigate CVE-2022-42927
Immediate Actions Required
- Update Mozilla Firefox to version 106 or later immediately
- Update Mozilla Firefox ESR to version 102.4 or later
- Update Mozilla Thunderbird to version 102.4 or later
- Enable automatic updates to ensure timely patching of future vulnerabilities
Patch Information
Mozilla has released patches addressing this vulnerability in the following versions:
| Product | Fixed Version | Security Advisory |
|---|---|---|
| Firefox | 106 | MFSA-2022-44 |
| Firefox ESR | 102.4 | MFSA-2022-45 |
| Thunderbird | 102.4 | MFSA-2022-46 |
For detailed technical information, refer to the Mozilla Bug Report #1789128.
Workarounds
- Restrict browsing to trusted websites until patches can be applied
- Use browser isolation or sandboxing technologies to limit the impact of browser-based exploits
- Implement network-level controls to detect and block potential data exfiltration attempts
- Consider using alternative browsers temporarily if patching is delayed
# Verify Firefox version on Linux/macOS
firefox --version
# Verify Thunderbird version
thunderbird --version
# Update Firefox on Ubuntu/Debian
sudo apt update && sudo apt install firefox
# Update Firefox on Fedora/RHEL
sudo dnf update firefox
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
