PT-2019-4546 · Mozilla+2 · Firefox+2
Vinothkumar Nagasayanan
+1
·
Published
2019-03-19
·
Updated
2024-12-12
·
CVE-2019-9803
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 66
Description
The issue is related to the Upgrade-Insecure-Requests (UIR) specification and Content Security Policy (CSP) in Firefox. When UIR is enabled through CSP, Firefox should upgrade navigation to a same-origin URL to HTTPS. However, in some cases, Firefox incorrectly navigates to an HTTP URL instead of performing the security upgrade, potentially allowing man-in-the-middle attacks on linked resources. This could allow a remote attacker to access and compromise confidential data.
Recommendations
For versions prior to 66, update to version 66 or later to resolve the issue. As a temporary workaround, consider disabling the UIR feature through CSP until a patch is available. Restrict access to sensitive data and resources to minimize the risk of exploitation.
Fix
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Firefox
Ubuntu