PT-2017-16490 · Mozilla+5 · Firefox+6

David Kohlbrenner

·

Published

2017-03-07

·

Updated

2024-12-12

·

CVE-2017-5407

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 52 Firefox ESR versions prior to 45.8 Thunderbird versions prior to 52 Thunderbird versions prior to 45.8
Description A malicious page can extract pixel values from a targeted user by using SVG filters that don't use the fixed point math implementation on a target iframe. This can be used to extract history information and read text values across domains, violating the same-origin policy and leading to information disclosure.
Recommendations For Firefox versions prior to 52, update to version 52 or later. For Firefox ESR versions prior to 45.8, update to version 45.8 or later. For Thunderbird versions prior to 52, update to version 52 or later. For Thunderbird versions prior to 45.8, update to version 45.8 or later.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2017-1322
ALT-PU-2017-1447
ALT-PU-2017-1578
CESA-2017_0459
CESA-2017_0461
CESA-2017_0498
CVE-2017-5407
DLA-852-1
DLA-896-1
DSA-3805-1
DSA-3832-1
MGASA-2017-0081
MGASA-2017-0082
MGASA-2018-0018
OPENSUSE-SU-2017:0687-1
OPENSUSE-SU-2017:0688-1
OPENSUSE-SU-2017:1268-1
OPENSUSE-SU-2017_0690-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
RHSA-2017:0459
RHSA-2017:0461
RHSA-2017:0498
RHSA-2017_0459
RHSA-2017_0461
RHSA-2017_0498
SUSE-SU-2017:0714-1
SUSE-SU-2017:0732-1
USN-3216-1
USN-3216-2
USN-3233-1

Affected Products

Alt Linux
Centos
Firefox
Red Hat
Suse
Thunderbird
Ubuntu