CVE-2017-7791 Information

Description

On pages containing an iframe the \data:\ protocol can be used to create a modal alert that will render over arbitrary domains following page navigation spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird 52.3 Firefox ESR 52.3 and Firefox 55.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

http://www.securityfocus.com/bid/100240 http://www.securitytracker.com/id/1039124 https://access.redhat.com/errata/RHSA-2017:2456 https://access.redhat.com/errata/RHSA-2017:2534 https://bugzilla.mozilla.org/show_bug.cgi?id=1365875 https://security.gentoo.org/glsa/201803-14 https://www.debian.org/security/2017/dsa-3928 https://www.debian.org/security/2017/dsa-3968 https://www.mozilla.org/security/advisories/mfsa2017-18/ https://www.mozilla.org/security/advisories/mfsa2017-19/ https://www.mozilla.org/security/advisories/mfsa2017-20/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3