CVE-2017-7843

MEDIUM

Description

When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1.

References

http://www.securityfocus.com/bid/102039

http://www.securityfocus.com/bid/102112

http://www.securitytracker.com/id/1039954

https://access.redhat.com/errata/RHSA-2017:3382

https://bugzilla.mozilla.org/show_bug.cgi?id=1410106

https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html

https://www.debian.org/security/2017/dsa-4062

https://www.mozilla.org/security/advisories/mfsa2017-27/

https://www.mozilla.org/security/advisories/mfsa2017-28/

Details

Source: MITRE

Published: 2018-06-11

Updated: 2018-08-06

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Tenable Plugins

View all (20 total)

ID	Name	Product	Family	Severity
127356	NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0116)	Nessus	NewStart CGSL Local Security Checks	critical
127141	NewStart CGSL MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2019-0001)	Nessus	NewStart CGSL Local Security Checks	critical
700333	Mozilla Firefox ESR < 52.5.2 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
700323	Mozilla Firefox < 57.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
700322	Mozilla Firefox < 57 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
106884	GLSA-201802-03 : Mozilla Firefox: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
105308	EulerOS 2.0 SP2 : firefox (EulerOS-SA-2017-1327)	Nessus	Huawei Local Security Checks	medium
105307	EulerOS 2.0 SP1 : firefox (EulerOS-SA-2017-1326)	Nessus	Huawei Local Security Checks	medium
105246	openSUSE Security Update : MozillaFirefox (openSUSE-2017-1366)	Nessus	SuSE Local Security Checks	medium
105212	Mozilla Firefox ESR < 52.5.2 Multiple Vulnerabilities	Nessus	Windows	high
105211	Mozilla Firefox ESR < 52.5.2 Private Mode Fingerprinting Vulnerability (macOS)	Nessus	MacOS X Local Security Checks	medium
105123	Debian DSA-4062-1 : firefox-esr - security update	Nessus	Debian Local Security Checks	medium
105118	Debian DLA-1202-1 : firefox-esr security update	Nessus	Debian Local Security Checks	medium
105060	CentOS 6 / 7 : firefox (CESA-2017:3382)	Nessus	CentOS Local Security Checks	medium
105040	Mozilla Firefox < 57.0.1 Multiple Vulnerabilities	Nessus	Windows	medium
105039	Mozilla Firefox < 57.0.1 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	medium
105030	Scientific Linux Security Update : firefox on SL6.x, SL7.x i386/x86_64 (20171205)	Nessus	Scientific Linux Local Security Checks	medium
105027	Oracle Linux 6 / 7 : firefox (ELSA-2017-3382)	Nessus	Oracle Linux Local Security Checks	medium
105026	FreeBSD : mozilla -- multiple vulnerabilities (b7e23050-2d5d-4e61-9b48-62e89db222ca)	Nessus	FreeBSD Local Security Checks	medium
105018	RHEL 6 / 7 : firefox (RHSA-2017:3382)	Nessus	Red Hat Local Security Checks	medium