Vulnerability Description
WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 51.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/95763Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037693Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1308688ExploitIssue TrackingPatch
- https://www.mozilla.org/security/advisories/mfsa2017-01/Vendor Advisory
- http://www.securityfocus.com/bid/95763Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037693Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1308688ExploitIssue TrackingPatch
- https://www.mozilla.org/security/advisories/mfsa2017-01/Vendor Advisory
FAQ
What is CVE-2017-5389?
CVE-2017-5389 is a vulnerability with a CVSS score of 6.1 (MEDIUM). WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This...
How severe is CVE-2017-5389?
CVE-2017-5389 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5389?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.