CVE-2023-3482Missing Authorization in Mozilla Firefox

CWE-862Missing Authorization8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 51.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxDebian FirefoxMsrc Azl3 Mozjs 102.15.1-1 ON Azure Linux 3.0
Timeline
PublishedJul 5
Latest updateJul 11

Description

When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites storing tracking data without permission. This vulnerability affects Firefox < 115.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

debiandebian/firefox< firefox 115.0-1 (sid)
CVEListV5mozilla/firefoxunspecified115
NVDmozilla/firefox< 115.0
Ubuntumozilla/firefox< 115.0+build2-0ubuntu0.20.04.3
mozillamozilla/firefox

🔴Vulnerability Details

3
OSV
firefox vulnerabilities2023-07-05
GHSA
GHSA-qv6f-vv52-ch9r: When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'a2023-07-05
OSV
CVE-2023-3482: When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'a2023-07-05

📋Vendor Advisories

4
Microsoft
When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious webs2023-07-11
Ubuntu
Firefox vulnerabilities2023-07-05
Debian
CVE-2023-3482: firefox - When Firefox is configured to block storage of all cookies, it was still possibl...2023
Mozilla
Mozilla Foundation Security Advisory 2023-22: CVE-2023-3482
CVE-2023-3482 — Missing Authorization in Mozilla | cvebase