PT-2017-16471 · Mozilla+3 · Firefox+3

Alex Chapman

Published

2017-01-24

Updated

2024-12-12

CVE-2017-5384

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 51

Description The issue concerns Proxy Auto-Config (PAC) files, which can specify a JavaScript function that is called for all URL requests, potentially exposing more information than would be sent to the proxy itself in the case of HTTPS. Normally, the Proxy Auto-Config file is presumed to be non-malicious, but if a user has enabled Web Proxy Auto Detect (WPAD), this file can be served remotely, introducing a potential risk.

Recommendations For Firefox versions prior to 51, update to version 51 or later to resolve the issue. As a temporary workaround, consider disabling Web Proxy Auto Detect (WPAD) to minimize the risk of exploitation. Restrict access to remote Proxy Auto-Config files to prevent potential malicious activity.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2017-1138

ALT-PU-2017-1578

CVE-2017-5384

MGASA-2017-0323

OPENSUSE-SU-2017_0358-1

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

USN-3175-1

USN-3175-2

Affected Products

Alt Linux

Firefox

Suse

Ubuntu

PT-2017-16471 · Mozilla+3 · Firefox+3

CVE-2017-5384

Weakness Enumeration

Related Identifiers

Affected Products

References · 1907