A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/105718 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1041944 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHSA-2018:3005 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:3006 | Third Party Advisory |
https://bugzilla.mozilla.org/show_bug.cgi?id=1487478 | Issue Tracking Permissions Required Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2018/11/msg00008.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/201811-04 | Third Party Advisory |
https://usn.ubuntu.com/3801-1/ | Third Party Advisory |
https://www.debian.org/security/2018/dsa-4324 | Third Party Advisory |
https://www.mozilla.org/security/advisories/mfsa2018-26/ | Vendor Advisory |
https://www.mozilla.org/security/advisories/mfsa2018-27/ | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mozilla
Published: 2019-02-28T18:00:00
Updated: 2019-03-01T10:57:01
Reserved: 2018-06-14T00:00:00
Link: CVE-2018-12397
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-02-28T18:29:00.883
Modified: 2019-03-01T15:00:30.520
Link: CVE-2018-12397
JSON object: View
Redhat Information
No data.
CWE