CVE-2018-5133

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 59

Description The issue is related to the "app.support.baseURL" preference, which can be modified by a malicious local program to include HTML and script content. This content is not sanitized and will be executed under certain conditions, such as when a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and performs a search. Additionally, the stored preference is executed when an EME video player plugin displays a CDM-disabled message as a notification. This could potentially allow a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 59, update to version 59 or later to resolve the issue. As a temporary workaround, consider restricting access to the "app.support.baseURL" preference to minimize the risk of exploitation. Avoid loading "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executing searches until the issue is resolved.