Advisory ID: 2013-25 Announced: February 19, 2013 Reporter: Frederik Braun Impact: Moderate Products Affected: - Firefox - Firefox ESR - SeaMonkey - Thunderbird - Thunderbird ESR Fixed in: - Firefox 19 - Firefox ESR 17.0.3 - SeaMonkey 2.16 - Thunderbird 17.0.3 - Thunderbird ESR 17.0.3 Description: Privacy leak in JavaScript Workers. Since Firefox 15, the file system location of the active browser profile is available to JavaScript workers, potentially allowing attacks when combined with other vulnerabilities. These flaws cannot be exploited through email in Thunderbird and SeaMonkey due to disabled scripting. Reference: Disclosure of profile directory name in JavaScript variable visible to Workers (CVE-2013-0774)