cbcvebase.
CVE-2017-7839
published 2018-06-11

CVE-2017-7839: Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be…

PriorityP422medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.14%
62.8th percentile
Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerability affects Firefox < 57.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 57.0-1 (sid)firefox 57.0-1 (sid)
mozillafirefox<= 56.0.2
mozillafirefox>= 0 < 57.0+build4-0ubuntu0.14.04.457.0+build4-0ubuntu0.14.04.4
mozillafirefox>= 0 < 57.0.3+build1-0ubuntu0.14.04.157.0.3+build1-0ubuntu0.14.04.1
mozillafirefox>= 0 < 57.0+build4-0ubuntu0.14.04.557.0+build4-0ubuntu0.14.04.5
mozillafirefox>= 0 < 57.0.1+build2-0ubuntu0.14.04.157.0.1+build2-0ubuntu0.14.04.1
mozillafirefox>= 0 < 57.0+build4-0ubuntu0.16.04.557.0+build4-0ubuntu0.16.04.5
mozillafirefox>= 0 < 57.0.3+build1-0ubuntu0.16.04.157.0.3+build1-0ubuntu0.16.04.1
mozillafirefox>= 0 < 57.0+build4-0ubuntu0.16.04.657.0+build4-0ubuntu0.16.04.6
mozillafirefox>= 0 < 57.0.1+build2-0ubuntu0.16.04.157.0.1+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 57.0.1+build2-0ubuntu157.0.1+build2-0ubuntu1
mozillafirefox>= unspecified < 5757

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.