When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84. Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26976 Reference (s):
- DEBIAN:DSA-4840
- URL: https://www.debian.org/security/2021/dsa-4840
- DEBIAN:DSA-4842
- URL: https://www.debian.org/security/2021/dsa-4842
- GENTOO:GLSA-202102-02