CVE-2021-29971 — Improper Preservation of Permissions in Mozilla Firefox

CWE-281 — Improper Preservation of Permissions5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 38.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedAug 5

Latest updateMay 24

Description

If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 90

▶NVDmozilla/firefox< 90.0

▶debiandebian/firefox

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-hmhq-whfw-x78q: If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be↗2022-05-24

▶

OSV

CVE-2021-29971: If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be↗2021-08-05

▶

📋Vendor Advisories

Debian

CVE-2021-29971: firefox - If a user had granted a permission to a webpage and saved that grant, any webpag...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-28: CVE-2021-29971↗

▶