CVE-2018-5179 — Missing Release of Resource after Effective Lifetime in Mozilla Firefox

CWE-772 — Missing Release of Resource after Effective Lifetime5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedApr 26

Latest updateMay 24

Description

A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users. Affects all versions prior to Firefox 60.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmozilla/firefox< 60.0

▶CVEListV5mozilla/firefoxAll versions prior to Firefox 60

🔴Vulnerability Details

GHSA

GHSA-8j5m-6wvx-8fqm: A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users↗2022-05-24

▶

OSV

CVE-2018-5179: A service worker can send the activate event on itself periodically which allows it to run perpetually, allowing it to monitor activity by users↗2019-04-26

▶

📋Vendor Advisories

Red Hat

chromium-browser: Lack of limits on update() in ServiceWorker↗2018-10-16

▶

💬Community

Bugzilla

CVE-2018-5179 chromium-browser: Lack of limits on update() in ServiceWorker↗2018-10-17

▶