Lucene search

K
mozillaMozilla FoundationMFSA2021-20
HistoryMay 05, 2021 - 12:00 a.m.

Security Vulnerabilities fixed in Firefox 88.0.1, Firefox for Android 88.1.3 — Mozilla

2021-05-0500:00:00
Mozilla Foundation
www.mozilla.org
738

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

60.1%

By triggering multiple pop-up prompts containing javascript: URLs, a malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability.Note: This issue only affected Firefox for Android. Other operating systems are unaffected.
When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code.

Affected configurations

Vulners
Node
mozillafirefoxRange<88.0.1
OR
mozillafirefoxRange<88.1.3
CPENameOperatorVersion
firefoxlt88.0.1
firefox for androidlt88.1.3

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

60.1%