CVE-2017-7830: The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs…

medium6.5CVSS 3.0

AVNACLPRNUIRSUCHINAN

The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.

Affected

41 ranges· showing 25

Vendor	Product	Version range	Fixed in
apple	icloud_for_windows	—	—
apple	ios	—	—
apple	itunes_12.7.3_for_windows	—	—
apple	macos_high_sierra_10.13.3_security_update_2018-001_sierra_and_security_update_20	—	—
apple	safari	—	—
apple	tvos	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	firefox	< firefox 57.0-1 (sid)	firefox 57.0-1 (sid)
debian	firefox-esr	< firefox 57.0-1 (sid)	firefox 57.0-1 (sid)
debian	thunderbird	< firefox 57.0-1 (sid)	firefox 57.0-1 (sid)
mozilla	firefox	< 57.0	57.0
mozilla	firefox	< 52.5.0	52.5.0
mozilla	firefox	>= 0 < 57.0+build4-0ubuntu0.14.04.4	57.0+build4-0ubuntu0.14.04.4
mozilla	firefox	>= 0 < 57.0.3+build1-0ubuntu0.14.04.1	57.0.3+build1-0ubuntu0.14.04.1
mozilla	firefox	>= 0 < 57.0+build4-0ubuntu0.14.04.5	57.0+build4-0ubuntu0.14.04.5
mozilla	firefox	>= 0 < 57.0.1+build2-0ubuntu0.14.04.1	57.0.1+build2-0ubuntu0.14.04.1
mozilla	firefox	>= 0 < 57.0+build4-0ubuntu0.16.04.5	57.0+build4-0ubuntu0.16.04.5
mozilla	firefox	>= 0 < 57.0.3+build1-0ubuntu0.16.04.1	57.0.3+build1-0ubuntu0.16.04.1
mozilla	firefox	>= 0 < 57.0+build4-0ubuntu0.16.04.6	57.0+build4-0ubuntu0.16.04.6
mozilla	firefox	>= 0 < 57.0.1+build2-0ubuntu0.16.04.1	57.0.1+build2-0ubuntu0.16.04.1
mozilla	firefox	>= unspecified < 57	57
mozilla	firefox_esr	>= unspecified < 52.5	52.5
mozilla	thunderbird	< 52.5.0	52.5.0

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

osv9.8CRITICAL