CVE-2017-5389
Last modified
CVE-2017-5389 is a vulnerability of currently unknown severity. WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. EPSS estimates a 0.93% chance of exploitation in the next 30 days.
Description
WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 51.0 |
References
- http://www.securityfocus.com/bid/95763Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037693Third Party Advisory, VDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1308688Exploit, Issue Tracking, Patch, Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-01/Vendor Advisory
- http://www.securityfocus.com/bid/95763Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037693Third Party Advisory, VDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1308688Exploit, Issue Tracking, Patch, Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2017-01/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-5389?
How severe is CVE-2017-5389?
How do I fix CVE-2017-5389?
Are you affected by CVE-2017-5389?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST