Ubuntu.comUB:CVE-2021-23976CVE-2021-23976
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
52.2%
When accepting a malicious intent from other installed apps, Firefox for
Android accepted manifests from arbitrary file paths and allowed declaring
webapp manifests for other origins. This could be used to gain fullscreen
access for UI spoofing and could also lead to cross-origin attacks on
targeted websites. Note: This issue is a different issue from
CVE-2020-26954 and only affected Firefox for Android. Other operating
systems are unaffected. This vulnerability affects Firefox < 86.
Notes
| Author | Note |
|---|---|
| tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
References
bugzilla.mozilla.org/show_bug.cgi?id=1684627
launchpad.net/bugs/cve/CVE-2021-23976
nvd.nist.gov/vuln/detail/CVE-2021-23976
security-tracker.debian.org/tracker/CVE-2021-23976
www.cve.org/CVERecord?id=CVE-2021-23976
www.mozilla.org/en-US/security/advisories/mfsa2021-07/#CVE-2021-23976
www.mozilla.org/security/advisories/mfsa2021-07/
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
52.2%