CVE-2022-36316 — Open Redirect in Mozilla Firefox

CWE-601 — Open Redirect6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 50.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird Debian Firefox

Timeline

PublishedDec 22

Description

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. This vulnerability affects Firefox < 103.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages6 packages

▶debiandebian/firefox< firefox 103.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 103

▶NVDmozilla/firefox< 103.0

▶Ubuntumozilla/firefox< 103.0+build1-0ubuntu0.18.04.1+1

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-hj6m-j4xw-c8m8: When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had↗2022-12-22

▶

OSV

CVE-2022-36316: When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had↗2022-07-27

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-07-28

▶

Debian

CVE-2022-36316: firefox - When using the Performance API, an attacker was able to notice subtle difference...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-28: CVE-2022-36316↗

▶