CVE-2017-7815Improper Input Validation in Mozilla Firefox

CWE-20Improper Input Validation8 documents5 sources
Severity
5.3MEDIUMNVD
OSV9.8
EPSS
0.8%
top 25.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedJun 11
Latest updateMay 14

Description

On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the dialog's location, spoofing of the origin of the modal dialog from the user view. Note: This attack only affects installations with e10 multiprocess turned off. Installations with e10s turned on do not support the modal dialog functionality. This vulnerability affects Firefox < 56.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/firefox< firefox 56.0-1 (sid)
CVEListV5mozilla/firefoxunspecified56
Ubuntumozilla/firefox< 56.0+build6-0ubuntu0.14.04.1+4
NVDmozilla/firefox55.0.3

🔴Vulnerability Details

4
GHSA
GHSA-r5q3-cfrm-hqph: On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the2022-05-14
OSV
firefox regression2017-10-04
OSV
CVE-2017-7815: On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the2017-10-02
OSV
firefox vulnerabilities2017-10-02

📋Vendor Advisories

3
Ubuntu
Firefox regression2017-10-04
Ubuntu
Firefox vulnerabilities2017-10-02
Debian
CVE-2017-7815: firefox - On pages containing an iframe, the "data:" protocol can be used to create a moda...2017