CVE-2018-5114 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure8 documents5 sources

Severity

5.3MEDIUMNVD

OSV9.8

EPSS

0.5%

top 35.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Canonical Ubuntu Linux

Timeline

PublishedJun 11

Latest updateMay 14

Description

If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. This vulnerability affects Firefox < 58.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/firefox< firefox 58.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 58

▶Ubuntumozilla/firefox< 58.0+build6-0ubuntu0.14.04.1+4

▶NVDmozilla/firefox57.0.4

Also affects: Ubuntu Linux 14.04, 16.04, 17.10

🔴Vulnerability Details

GHSA

GHSA-28wg-555g-fr2v: If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document i↗2022-05-14

▶

OSV

firefox regressions↗2018-02-12

▶

OSV

firefox vulnerabilities↗2018-01-24

▶

OSV

CVE-2018-5114: If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document i↗2018-01-23

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2018-02-12

▶

Ubuntu

Firefox vulnerabilities↗2018-01-24

▶

Debian

CVE-2018-5114: firefox - If an existing cookie is changed to be "HttpOnly" while a document is open, the ...↗2018

▶