CVE-2017-7770 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation3 documents3 sources

Severity

5.9MEDIUMNVD

EPSS

0.4%

top 41.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJun 11

Latest updateMay 14

Description

A mechanism where when a new tab is loaded through JavaScript events, if fullscreen mode is then entered, the addressbar will not be rendered. This would allow a malicious site to displayed a spoofed addressbar, showing the location of an arbitrary website instead of the one loaded. Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected. This vulnerability affects Firefox < 54.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5mozilla/firefoxunspecified — 54

▶NVDmozilla/firefox< 54.0

▶debiandebian/firefox

🔴Vulnerability Details

GHSA

GHSA-phqm-287h-4733: A mechanism where when a new tab is loaded through JavaScript events, if fullscreen mode is then entered, the addressbar will not be rendered↗2022-05-14

▶

📋Vendor Advisories

Debian

CVE-2017-7770: firefox - A mechanism where when a new tab is loaded through JavaScript events, if fullscr...↗2017

▶