When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by changing external protocol prompts to be tab-modal while also ensuring they could not be incorrectly associated with a different origin. This vulnerability affects Firefox < 82.
References
Link | Resource |
---|---|
https://bugzilla.mozilla.org/show_bug.cgi?id=1636654 | Issue Tracking Permissions Required Vendor Advisory |
https://www.mozilla.org/security/advisories/mfsa2020-45/ | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mozilla
Published: 2020-10-22T20:32:25
Updated: 2020-10-22T20:32:25
Reserved: 2020-07-10T00:00:00
Link: CVE-2020-15682
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-10-22T21:15:13.433
Modified: 2020-10-30T13:15:19.680
Link: CVE-2020-15682
JSON object: View
Redhat Information
No data.
CWE