CVE-2017-7787
Published: 10 August 2017
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
Notes
Author | Note |
---|---|
tyhicks | mozjs38 contains a copy of the SpiderMonkey JavaScript engine |
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
artful |
Released
(55.0.2+build1-0ubuntu4)
|
bionic |
Released
(55.0.2+build1-0ubuntu4)
|
|
cosmic |
Released
(55.0.2+build1-0ubuntu4)
|
|
disco |
Released
(55.0.2+build1-0ubuntu4)
|
|
trusty |
Released
(55.0.1+build2-0ubuntu0.14.04.2)
|
|
upstream |
Released
(55.0)
|
|
xenial |
Released
(55.0.1+build2-0ubuntu0.16.04.2)
|
|
zesty |
Released
(55.0.1+build2-0ubuntu0.17.04.2)
|
|
mozjs38 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(code not present)
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
zesty |
Ignored
(end of life)
|
|
thunderbird Launchpad, Ubuntu, Debian |
artful |
Released
(1:52.4.0+build1-0ubuntu2)
|
bionic |
Released
(1:52.4.0+build1-0ubuntu2)
|
|
cosmic |
Released
(1:52.4.0+build1-0ubuntu2)
|
|
disco |
Released
(1:52.4.0+build1-0ubuntu2)
|
|
trusty |
Released
(1:52.3.0+build1-0ubuntu0.14.04.1)
|
|
upstream |
Released
(52.3.0)
|
|
xenial |
Released
(1:52.3.0+build1-0ubuntu0.16.04.1)
|
|
zesty |
Released
(1:52.3.0+build1-0ubuntu0.17.04.1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |