CVE-2017-7816 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation CWE-772 — Missing Release of Resource after Effective Lifetime10 documents7 sources

Severity

5.3MEDIUMNVD

OSV9.8

EPSS

0.3%

top 49.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJun 11

Latest updateMay 13

Description

WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/firefox< firefox 56.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 56

▶Ubuntumozilla/firefox< 56.0+build6-0ubuntu0.14.04.1+4

▶NVDmozilla/firefox55.0.3

🔴Vulnerability Details

GHSA

GHSA-q9h8-ghr2-6995: WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavio↗2022-05-13

▶

OSV

firefox regression↗2017-10-04

▶

OSV

CVE-2017-7816: WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavio↗2017-10-02

▶

OSV

firefox vulnerabilities↗2017-10-02

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2017-10-04

▶

Ubuntu

Firefox vulnerabilities↗2017-10-02

▶

Red Hat

Qemu: libcacard: host memory leakage while creating new APDU↗2017-02-21

▶

Debian

CVE-2017-7816: firefox - WebExtensions could use popups and panels in the extension UI to load an "about:...↗2017

▶

💬Community

Bugzilla

browser.identity.launchWebAuthFlow can open privileged pages↗2017-12-14

▶