Vulnerability Description
The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed by the same accent as a second character with most font sets. This allows for domain spoofing attacks because these combined domain names do not display as punycode. This vulnerability affects Firefox < 57.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 56.0.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101832Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039803Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1408782Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2017-24/Vendor Advisory
- http://www.securityfocus.com/bid/101832Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039803Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1408782Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2017-24/Vendor Advisory
FAQ
What is CVE-2017-7832?
CVE-2017-7832 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed ...
How severe is CVE-2017-7832?
CVE-2017-7832 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7832?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.