CVE-2016-9902 log

Source
Severity Medium
Remote Yes
Type Content spoofing
Description
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. 
Note: this issue does not affect users with e10s enabled.
Group Package Affected Fixed Severity Status Ticket
AVG-106 firefox 50.0.2-1 50.1.0-1 Critical Fixed
Date Advisory Group Package Severity Type
14 Dec 2016 ASA-201612-15 AVG-106 firefox Critical multiple issues
References
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9902