CVE-2017-7830 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure26 documents10 sources

Severity

6.5MEDIUMNVD

OSV9.8

EPSS

0.9%

top 24.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +6 more

Timeline

PublishedJun 11

Latest updateMay 13

Description

The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages11 packages

▶CVEListV5mozilla/firefoxunspecified — 57

▶NVDmozilla/firefox< 57.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 52.5

▶Ubuntumozilla/firefox< 57.0+build4-0ubuntu0.14.04.4+7

▶CVEListV5mozilla/thunderbirdunspecified — 52.5

Also affects: Debian Linux 7.0, 8.0, 9.0, Enterprise Linux 7.4, 7.5

🔴Vulnerability Details

GHSA

GHSA-6j6p-p8wc-9jpp: The Resource Timing API incorrectly revealed navigations in cross-origin iframes↗2022-05-13

▶

OSV

CVE-2017-7830: The Resource Timing API incorrectly revealed navigations in cross-origin iframes↗2018-06-11

▶

CVEList

CVE-2017-7830: The Resource Timing API incorrectly revealed navigations in cross-origin iframes↗2018-06-11

▶

OSV

firefox regression↗2018-01-03

▶

OSV

thunderbird vulnerabilities↗2017-12-01

▶

💥Exploits & PoCs

Exploit-DB

Skype for Business 2016 - Cross-Site Scripting↗2017-07-12

▶

📋Vendor Advisories

Apple

CVE-2017-7830: iOS 11.2.5↗2018-01-23

▶

Apple

CVE-2017-7830: macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan↗2018-01-23

▶

Apple

CVE-2017-7830: iTunes 12.7.3 for Windows↗2018-01-23

▶

Apple

CVE-2017-7830: iCloud for Windows 7.3↗2018-01-23

▶

Apple

CVE-2017-7830: Safari 11.0.3↗2018-01-23

▶

💬Community

Bugzilla

Stealing of URL cross-domain using performance.getEntries() once again, treat meta refresh channel as a redirect by setting result principal URL↗2018-06-13

▶

Bugzilla

CVE-2017-7830 Mozilla: Cross-origin URL information leak through Resource Timing API (MFSA 2017-25)↗2017-11-15

▶

Bugzilla

Resource Timing API leaks URL after subframe navigation↗2017-10-16

▶