Mozilla Firefox ESR < 52.5 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700332
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 52.5 are unpatched for the following vulnerabilities :

- A flaw exists in the 'NewReactionRecord()' function in 'js/src/builtin/Promise.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'VerifyCMSDetachedSignatureIncludingCertificate()' function in 'security/manager/ssl/nsDataSignatureVerifier.cpp' that is triggered when handling PKCS#7 signedData content. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'ContainerLayerComposite::mPrepared()' function in 'gfx/layers/composite/ContainerLayerComposite.cpp' that is triggered when handling layers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'MArgumentsLength::computeRange()' function in 'js/src/jit/RangeAnalysis.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in 'widget/windows/AudioSession.cpp' that is triggered when handling AudioSession objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered when handling WebGL texture images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free flaw exists in the 'nsDocShell::~nsDocShell()' function in 'docshell/base/nsDocShell.cpp' that is triggered when notifying observers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'CleanupOSFileConstants()' function in 'dom/system/OSFileConstants.cpp' related to use of uninitialized memory. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'ApplicationReputationService::~ApplicationReputationService()' function in 'toolkit/components/downloads/ApplicationReputation.cpp' that is triggered as certain pointers are not properly cleared. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'EnumerableOwnProperties()' function in 'js/src/builtin/Object.cpp' that is triggered when rooting objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free flaw exists in the 'CompositorBridgeChild::RecvDidComposite()' function in 'gfx/layers/ipc/CompositorBridgeChild.cpp' that is triggered when handling texture pools. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'nsViewManager::~nsViewManager()' function in 'view/nsViewManager.cpp' that is triggered as the PresShell object is not properly handled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'TLSFilterTransaction::Close()' function in 'netwerk/protocol/http/TunnelUtils.cpp' that is triggered as timers are not properly handled when a transaction is canceled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'EventStateManager::DispatchCrossProcessEvent()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling drag events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered when handling properties of adopted nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'PropertyReadNeedsTypeBarrier()' function in 'jit/MIR.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A logic flaw exists in the 'IsMarkedBlack()' function in 'js/src/gc/Barrier.cpp' that is triggered during gray marking asserts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists that triggered when flushing and resizing the layout, which may cause the PressShell object to be freed while still in use. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' that is triggered as navigations in cross-origin iframes are revealed. Using the Resource Timing API, a context-dependent attacker to gain access to cross-origin URL information.

Solution

Upgrade to Firefox ESR version 52.5 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-25

Plugin Details

Severity: High

ID: 700332

Family: Web Clients

Published: 8/21/2018

Updated: 11/6/2019

Dependencies: 9131

Nessus ID: 104637

Risk Information

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

Patch Publication Date: 11/14/2017

Vulnerability Publication Date: 10/25/2017

Reference Information

CVE: CVE-2017-7826, CVE-2017-7828, CVE-2017-7830

BID: 101832