Firefox for Android address bar spoofing in Mozilla Firefox

#VU8620 Firefox for Android address bar spoofing in Mozilla Firefox

Published: 2017-09-28 | Updated: 2017-09-29

Vulnerability identifier: #VU8620

Vulnerability risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7817

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description
The vulnerability allows a remote attacker to perform spoofing attack.

A spoofing vulnerability can occur when a page switches to fullscreen mode without user notification, allowing a fake address bar to be displayed. This allows an attacker to spoof which page is actually loaded and in use.

Note: This attack only affects Firefox for Android. Other operating systems are not affected.

Mitigation
Update to version 56.0.

Vulnerable software versions

Mozilla Firefox: 48.0 - 55.0.3

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2017-21/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Mozilla Firefox