The host is installed with Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, or SeaMonkey before 2.9 and is prone to origin bypass vulnerability. A flaw is present in the applications, which fail to properly construct the Origin and Sec-WebSocket-Origin HTTP headers. Successful exploitation could allow attackers to bypass an IPv6 literal ACL via a cross-site XMLHttpRequest or WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields.