#VU8626 Spoofing attack with modal dialogs on non-e10s installations in Mozilla Firefox - CVE-2017-7815

Cybersecurity Help s.r.o.

Published: 2017-09-28 | Updated: 2017-09-29

Vulnerability identifier: #VU8626

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-7815

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description
The vulnerability allows a remote attacker to perform spoofing attack.

On pages containing an iframe, the data: protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the dialog's location, spoofing of the origin of the modal dialog from the user view.

Note: This attack only affects installations with e10 multiprocess turned off. Installations with e10s turned on do not support the modal dialog functionality.

Mitigation
Update to version 56.0.

Vulnerable software versions

Mozilla Firefox: 48.0 - 55.0.3

External links
https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for Firefox

Multiple vulnerabilities in Mozilla Firefox