PT-2022-4925 · Mozilla+4 · Firefox+4

Young Min Kim

·

Published

2022-03-08

·

Updated

2024-12-12

·

CVE-2022-26382

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 98
Description The issue is related to the Autofill tooltips in Firefox, where the text displayed cannot be directly read by JavaScript but is rendered using page fonts. This could lead to side-channel attacks using specially crafted fonts, potentially allowing an attacker to infer the text. The vulnerability is associated with a lack of protection for sensitive data, which could enable an unauthorized party to access protected information.
Recommendations For versions prior to 98, update to version 98 or later to resolve the issue. As a temporary workaround, consider restricting the use of Autofill tooltips until a patch is applied. Avoid using specially crafted fonts that could be used in side-channel attacks.

Exploit

Fix

Information Disclosure

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-203

Related Identifiers

ALT-PU-2022-1450
ALT-PU-2022-2458
ALT-PU-2022-2929
ALT-PU-2022-2930
ALT-PU-2023-1138
ALT-PU-2023-1139
ALT-PU-2023-4336
ALT-PU-2023-4339
BDU:2022-06106
CVE-2022-26382
OESA-2023-1673
OESA-2023-1674
OPENSUSE-SU-2024:11908-1
OPENSUSE-SU-2024:14572-1
USN-5321-1
USN-5321-2
USN-5321-3

Affected Products

Alt Linux
Astra Linux
Firefox
Linuxmint
Ubuntu