| Description: | Summary:
Mozilla Firefox is prone to multiple vulnerabilities.
Vulnerability Insight:
Multiple flaws exist due to:
- Use-after-free error with Fetch API.
- Firefox for Android address bar spoofing through full screen mode.
- Use-after-free error during ARIA array manipulation.
- Use-after-free error while resizing images in design mode.
- Buffer overflow error when drawing and validating elements with ANGLE.
- Use-after-free error in TLS 1.2 generating handshake hashes.
- Drag and drop of malicious page content to the tab bar can open locally stored files.
- Blob and data URLs bypass phishing and malware protection warnings.
- Integer truncation in the JavaScript parser.
- OS X fonts render some Tibetan and Arabic unicode characters as spaces.
- Spoofing attack with modal dialogs on non-e10s installations.
- Web Extensions can load about: URLs in extension UI.
- Web Extensions can download and open non-executable files without user interaction.
- CSP sandbox directive did not create a unique origin.
- Web Crypto allows AES-GCM with 0-length IV.
- Xray wrapper bypass with new tab and web console.
- Memory safety bugs fixed in Firefox 56.
Vulnerability Impact:
Successful exploitation of these
vulnerabilities will allow remote attackers to cause denial of service, conduct
spoofing attack, obtain sensitive information and execute arbitrary code.
Affected Software/OS:
Mozilla Firefox versions before 56.0.
Solution:
Update to version 56.0 or later.
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
