#VU33564 Information disclosure - CVE-2017-5378

Vulnerability identifier: #VU33564

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-5378

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.

Mitigation
Install update from vendor's website.

External links
https://rhn.redhat.com/errata/RHSA-2017-0190.html
https://rhn.redhat.com/errata/RHSA-2017-0238.html
https://www.securityfocus.com/bid/95769
https://www.securitytracker.com/id/1037693
https://bugzilla.mozilla.org/show_bug.cgi?id=1312001
https://bugzilla.mozilla.org/show_bug.cgi?id=1330769
https://security.gentoo.org/glsa/201702-13
https://security.gentoo.org/glsa/201702-22
https://www.debian.org/security/2017/dsa-3771
https://www.debian.org/security/2017/dsa-3832
https://www.mozilla.org/security/advisories/mfsa2017-01/
https://www.mozilla.org/security/advisories/mfsa2017-02/
https://www.mozilla.org/security/advisories/mfsa2017-03/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.