CVE-2016-9902 — Origin Validation Error in Mozilla Firefox
Severity
7.5HIGHNVD
OSV9.8
EPSS
0.4%
top 38.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 14
Description
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages7 packages
Also affects: Enterprise Linux 7.3, 7.4, 7.5
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-jhx9-2v44-3f39: The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events↗2022-05-14
CVEList▶
CVE-2016-9902: The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events↗2018-06-11
OSV▶
CVE-2016-9902: The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events↗2018-06-11
📋Vendor Advisories
3💬Community
1Bugzilla▶
CVE-2016-9902 Mozilla: Pocket extension does not validate the origin of events (MFSA 2016-94, MFSA 2016-95)↗2016-12-13