cbcvebase.
CVE-2018-5143
published 2018-06-11

CVE-2018-5143: URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab…

PriorityP422medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
0.94%
56.5th percentile
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59.

Affected

11 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianfirefox< firefox 59.0-1 (sid)firefox 59.0-1 (sid)
mozillafirefox< 59.059.0
mozillafirefox>= 0 < 59.0+build5-0ubuntu0.14.04.159.0+build5-0ubuntu0.14.04.1
mozillafirefox>= 0 < 59.0.2+build1-0ubuntu0.14.04.459.0.2+build1-0ubuntu0.14.04.4
mozillafirefox>= 0 < 59.0+build5-0ubuntu0.16.04.159.0+build5-0ubuntu0.16.04.1
mozillafirefox>= 0 < 59.0.2+build1-0ubuntu0.16.04.359.0.2+build1-0ubuntu0.16.04.3
mozillafirefox>= 0 < 59.0.1+build1-0ubuntu159.0.1+build1-0ubuntu1
mozillafirefox>= unspecified < 5959

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.