CVE-2022-26382 — Observable Discrepancy in Mozilla Firefox

CWE-203 — Observable Discrepancy11 documents6 sources

Severity

4.3MEDIUMNVD

OSV8.8

EPSS

0.3%

top 47.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Description

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶debiandebian/firefox< firefox 98.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 98

▶NVDmozilla/firefox< 98.0

▶Ubuntumozilla/firefox< 98.0+build3-0ubuntu0.18.04.2+6

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-7mvx-m8hq-f37g: While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts↗2022-12-22

▶

OSV

firefox regressions↗2022-03-24

▶

OSV

firefox vulnerabilities↗2022-03-17

▶

OSV

firefox vulnerabilities↗2022-03-10

▶

OSV

CVE-2022-26382: While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts↗2022-03-09

▶

📋Vendor Advisories

Ubuntu

Firefox regressions↗2022-03-24

▶

Ubuntu

Firefox vulnerabilities↗2022-03-17

▶

Ubuntu

Firefox vulnerabilities↗2022-03-10

▶

Debian

CVE-2022-26382: firefox - While the text displayed in Autofill tooltips cannot be directly read by JavaScr...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-10: CVE-2022-26382↗

▶