CVE-2016-1937 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting9 documents6 sources

Severity

6.1MEDIUMNVD

OSV9.8

EPSS

0.4%

top 42.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Opensuse Leap Opensuse

Timeline

PublishedJan 31

Latest updateMay 14

Description

The protocol-handler dialog in Mozilla Firefox before 44.0 allows remote attackers to conduct clickjacking attacks via a crafted web site that triggers a single-click action in a situation where a double-click action was intended.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Ubuntumozilla/firefox< 44.0.1+build2-0ubuntu0.14.04.1+1

▶NVDmozilla/firefox43.0.4

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.1, 13.2+1

🔴Vulnerability Details

GHSA

GHSA-c8cc-37rm-6jp9: The protocol-handler dialog in Mozilla Firefox before 44↗2022-05-14

▶

OSV

firefox regression↗2016-02-08

▶

OSV

firefox vulnerabilities↗2016-01-27

▶

OSV

CVE-2016-1937: The protocol-handler dialog in Mozilla Firefox before 44↗2016-01-26

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2016-02-08

▶

Ubuntu

Firefox vulnerabilities↗2016-01-27

▶

Red Hat

Mozilla: Missing delay following user click events in protocol handler dialog (MFSA 2016-06)↗2016-01-26

▶

💬Community

Bugzilla

CVE-2016-1937 Mozilla: Missing delay following user click events in protocol handler dialog (MFSA 2016-06)↗2016-01-26

▶