Ronen Zilberman

Name of the Vulnerable Software and Affected Versions: Mozilla Firefox versions prior to 58 Description: The issue is related to an insufficiency in the source confirmation mechanism of the WebExtensions extension in Mozilla Firefox. This can allow a remote attacker to gain unauthorized access to protected information, compromise its integrity, and cause a denial of service. The vulnerability can be exploited by malicious extensions that have the "ActiveTab" permission, allowing them to access frames hosted within the active tab, even if they are cross-origin, and inject frames from arbitrary origins into the loaded page, thus bypassing same-origin user expectations. Recommendations: For versions prior to 58, update to version 58 or later to resolve the issue. As a temporary workaround, consider disabling the use of extensions with the "ActiveTab" permission until a patch is available. Restrict access to the `ActiveTab` permission to minimize the risk of exploitation. Avoid using extensions that can inject frames from arbitrary origins into the loaded page until the issue is resolved.