Security restrictions bypass in firefox-esr (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-7843 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
firefox-esr (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Security restrictions bypass
EUVDB-ID: #VU9527
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7843
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists in web worker while in Private Browsing mode due to improper input validation. A remote attacker can trick the victim into visiting a specially crafted website, bypass private-browsing protections and uniquely fingerprint visitors.to write persistent data to IndexedDB, which was not cleared when exiting and would persist across multiple sessions.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Alpine package): 52.5.0-r0
CPE2.3 External linkshttp://git.alpinelinux.org/aports/commit/?id=21febb02a03ed44bde98b19a5e38d54a2ac01c33
http://git.alpinelinux.org/aports/commit/?id=42d0fe5b17329c55a287471860d50478d65c8669
http://git.alpinelinux.org/aports/commit/?id=26701b74f891400a545844d0ba4f616001b15944
http://git.alpinelinux.org/aports/commit/?id=ce1893a60404d9954a620738b865fe7d085a0019
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
