CVE-2020-26976 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure11 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

2.0%

top 16.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird Debian Firefox +3 more

Timeline

PublishedJan 7

Latest updateMay 24

Description

When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶debiandebian/firefox< firefox 84.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 84

▶NVDmozilla/firefox< 84.0

▶debiandebian/firefox-esr< firefox 84.0-1 (sid)

▶Ubuntumozilla/firefox< 84.0+build3-0ubuntu0.16.04.1+2

Also affects: Debian Linux 10.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-77q8-crvw-8w9q: When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted th↗2022-05-24

▶

OSV

CVE-2020-26976: When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted th↗2021-01-07

▶

OSV

firefox vulnerabilities↗2020-12-15

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2021-02-16

▶

Red Hat

Mozilla: HTTPS pages could have been intercepted by a registered service worker when they should not have been↗2021-01-26

▶

Ubuntu

Firefox vulnerabilities↗2020-12-15

▶

Debian

CVE-2020-26976: firefox - When a HTTPS pages was embedded in a HTTP page, and there was a service worker r...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2021-05: CVE-2020-26976↗

▶