CVE-2017-7814 — Improper Input Validation in Mozilla Firefox
CWE-20 — Improper Input ValidationCWE-494 — Download of Code Without Integrity Check13 documents8 sources
Severity
7.8HIGHNVD
OSV9.8
EPSS
0.3%
top 45.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 14
Description
File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables that would otherwise be detected as suspicious. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages11 packages
Also affects: Debian Linux 7.0, 8.0, 9.0, Enterprise Linux 7.4, 7.5
Patches
🔴Vulnerability Details
6GHSA▶
GHSA-95j8-9fpj-7wc6: File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature a↗2022-05-14
CVEList▶
CVE-2017-7814: File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature a↗2018-06-11
OSV▶
CVE-2017-7814: File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature a↗2018-06-11
📋Vendor Advisories
5💬Community
1Bugzilla▶
CVE-2017-7814 Mozilla: Blob and data URLs bypass phishing and malware protection warnings (MFSA 2017-22)↗2017-09-28