PT-2020-16588 · Mozilla+7 · Firefox+7
Andrew Sutherland
·
Published
2020-12-15
·
Updated
2024-12-12
·
CVE-2020-26976
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 84
Description
The issue occurs when a HTTPS page is embedded in a HTTP page and a service worker is registered for the secure page. In such cases, the service worker could intercept the request for the secure page, despite the iframe not being a secure context due to the insecure framing.
Recommendations
For versions prior to 84, update to version 84 or later to resolve the issue. As a temporary workaround, consider disabling service workers for secure pages embedded in insecure contexts until a patch is available. Restrict access to sensitive information on secure pages to minimize the risk of exploitation.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Firefox
Linuxmint
Red Hat
Suse
Ubuntu