PT-2017-3379 · Mozilla+5 · Firefox Esr+7

Jun Kokatsu

·

Published

2017-09-02

·

Updated

2024-12-12

·

CVE-2017-7823

CVSS v2.0

8.3

High

VectorAV:N/AC:M/Au:N/C:P/I:P/A:C
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 56 Firefox ESR versions prior to 52.4 Thunderbird versions prior to 52.4
Description The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. The vulnerability is related to the implementation of the Content Security Policy (CSP) mechanism in Mozilla browsers, which failed to protect the structure of web pages using the sandbox directive, potentially allowing a remote attacker to perform cross-site scripting attacks.
Recommendations For Firefox versions prior to 56, update to version 56 or later. For Firefox ESR versions prior to 52.4, update to version 52.4 or later. For Thunderbird versions prior to 52.4, update to version 52.4 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2017-2358
ALT-PU-2017-2390
ALT-PU-2017-2437
ALT-PU-2018-1854
BDU:2018-00161
CESA-2017_2831
CESA-2017_2885
CVE-2017-7823
DLA-1118-1
DLA-1153-1
DSA-3987-1
DSA-4014-1
MGASA-2017-0361
MGASA-2018-0018
OPENSUSE-SU-2017:2707-1
OPENSUSE-SU-2017:2710-1
OPENSUSE-SU-2017_2615-1
OPENSUSE-SU-2017_2710-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
RHSA-2017:2831
RHSA-2017:2885
RHSA-2017_2831
RHSA-2017_2885
SUSE-SU-2017:2688-1
SUSE-SU-2017:2872-1
SUSE-SU-2017:2872-2
USN-3435-1
USN-3435-2
USN-3436-1

Affected Products

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Suse
Thunderbird
Ubuntu