CVE-2017-7823 — Cross-site Scripting in Mozilla Firefox
Severity
5.4MEDIUMNVD
OSV9.8
EPSS
1.4%
top 19.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 14
Description
The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5
Affected Packages11 packages
Also affects: Debian Linux 7.0, 8.0, 9.0, Enterprise Linux 7.4, 7.5
Patches
🔴Vulnerability Details
6GHSA▶
GHSA-hhcx-w758-8p3p: The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-orig↗2022-05-14
OSV▶
CVE-2017-7823: The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-orig↗2018-06-11
CVEList▶
CVE-2017-7823: The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-orig↗2018-06-11
📋Vendor Advisories
5Debian▶
CVE-2017-7823: firefox - The content security policy (CSP) "sandbox" directive did not create a unique or...↗2017
💬Community
1Bugzilla▶
CVE-2017-7823 Mozilla: CSP sandbox directive did not create a unique origin (MFSA 2017-22)↗2017-09-28