vulnerability

MFSA2016-46 Firefox: Elevation of privilege with chrome.tabs.update API in web extensions (CVE-2016-2817)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	Apr 26, 2016	Apr 27, 2016	Oct 30, 2017

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Apr 26, 2016

Added

Apr 27, 2016

Modified

Oct 30, 2017

Description

The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted extension that accesses a (1) javascript: or (2) data: URL.

Solution

mozilla-firefox-upgrade-46_0

References

CVE-2016-2817
https://attackerkb.com/topics/CVE-2016-2817
URL-http://www.mozilla.org/security/announce/2016/mfsa2016-46.html

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today