CVE-2018-5143 Information

Description

URLs using \javascript:\ have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks but if a tab character is embedded in the \javascript:\ URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox 59.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://www.securityfocus.com/bid/103386 http://www.securitytracker.com/id/1040514 https://bugzilla.mozilla.org/show_bug.cgi?id=1422643 https://usn.ubuntu.com/3596-1/ https://www.mozilla.org/security/advisories/mfsa2018-06/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1