Vulnerability & Exploit Database

Back to search

Oracle Linux: CVE-2017-7843: ELSA-2017-3382 - firefox security update

Severity CVSS Published Added Modified
4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) December 04, 2017 December 04, 2017 December 05, 2017

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From ELSA-2017-3382:

[52.5.1-1.0.1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one - Force requirement of newer gdk-pixbuf2 to ensure a proper update (Todd Vierling) [orabug 19847484] [52.5.1-1] - Update to 52.5.1 ESR

From RHSA-2017:3382:

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 52.5.1 ESR.

Security Fix(es):

A privacy flaw was discovered in Firefox. In Private Browsing mode, a web worker could write persistent data to IndexedDB, which was not cleared when exiting and would persist across multiple sessions. A malicious website could exploit the flaw to bypass private-browsing protections and uniquely fingerprint visitors. (CVE-2017-7843)

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Konark as the original reporter.

From VID-B7E23050-2D5D-4E61-9B48-62E89DB222CA:

Mozilla Foundation reports:

CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

CVE-2017-7844: Visited history information leak through SVG image

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

oracle-linux-upgrade-firefox