Vulnerability identifier: #VU32901
Vulnerability risk: Low
CVSSv3.1:
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Mozilla Firefox
Client/Desktop applications /
Web browsers
Firefox ESR
Client/Desktop applications /
Web browsers
Vendor: Mozilla
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions, when allowing popups. A remote attacker can create a specially crafted web page with noopener
links that may allow an attacker to bypass iframe sandbox for websites relying on sandbox configurations, if allow-popups
flag is set.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Mozilla Firefox: 70.0 - 78.0.2
Firefox ESR: 78.0 - 78.0.2
CPE
External links
http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?