CVE-2017-7822

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 56

Description The issue is related to the implementation of the AES-GCM mode in the WebCrypto API, which is affected by a use-after-free memory issue. This could potentially allow a remote attacker to gain unauthorized access to protected information. Additionally, the AES-GCM implementation incorrectly accepts 0-length IV, which should be at least 1 according to the NIST Special Publication 800-38D specification, potentially allowing the authentication key to be determined in some cases.

Recommendations For versions prior to 56, update to version 56 or later to resolve the issue. As a temporary workaround, consider restricting the use of the WebCrypto API until a patch is available. Avoid using the IV parameter with a length of 0 in the affected API endpoint until the issue is resolved.