Vulnerability identifier: #VU12544
Vulnerability risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Mozilla Firefox
Client/Desktop applications /
Web browsers
Vendor: Mozilla
Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to replacing of cached data in JavaScript start-up bytecode cache. A remote attacker with full
control over a content process can replace the
alternate data resources stored in the JavaScript Start-up Bytecode
Cache (JSBC) for other JavaScript code, run the executed script with the parent
process' privileges and escaping the sandbox on content processes.
Mitigation
Update to version 60.0.
Vulnerable software versions
Mozilla Firefox: 59.0 - 59.0.2
External links
http://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.