Vulnerability Description
If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown protocol" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 59.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 59.0 |
| Canonical | Ubuntu Linux | 14.04 |
References
- http://www.securityfocus.com/bid/103386Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040514Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1366357Permissions Required
- https://usn.ubuntu.com/3596-1/Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-06/Vendor Advisory
- http://www.securityfocus.com/bid/103386Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040514Third Party AdvisoryVDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1366357Permissions Required
- https://usn.ubuntu.com/3596-1/Third Party Advisory
- https://www.mozilla.org/security/advisories/mfsa2018-06/Vendor Advisory
FAQ
What is CVE-2018-5142?
CVE-2018-5142 is a vulnerability with a CVSS score of 5.3 (MEDIUM). If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. The notification stat...
How severe is CVE-2018-5142?
CVE-2018-5142 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-5142?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Canonical Ubuntu Linux.