Vulnerability Description
Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerability affects Firefox < 57.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 56.0.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101832Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039803Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1402896Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2017-24/Vendor Advisory
- http://www.securityfocus.com/bid/101832Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039803Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1402896Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2017-24/Vendor Advisory
FAQ
What is CVE-2017-7839?
CVE-2017-7839 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This c...
How severe is CVE-2017-7839?
CVE-2017-7839 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7839?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.