CVE-2017-7820 Information

Description

The \instanceof\ operator can bypass the Xray wrapper mechanism. When called on web content from the browser itself or an extension the web content can provide its own result for that operator possibly tricking the browser or extension into mishandling the element. This vulnerability affects Firefox 56.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

http://www.securityfocus.com/bid/101057 http://www.securitytracker.com/id/1039465 https://bugzilla.mozilla.org/show_bug.cgi?id=1378207 https://www.mozilla.org/security/advisories/mfsa2017-21/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3