Information disclosure in Mozilla Firefox and Firefox ESR

#VU48469 Information disclosure

Published: 2020-11-17

Vulnerability identifier: #VU48469

Vulnerability risk: Low

CVSSv3: 2.9 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26965

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software: Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox ESR
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the way software keyboards are handled by the Firefox. Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password.

A local user leverage this behavior to gain access to passwords, stored by software keyboards.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 60.0, 60.0.1, 60.0.2, 60.1.0, 60.2.0, 60.2.1, 60.2.2, 60.3.0, 60.4.0, 60.5.0, 60.5.1, 60.5.2, 60.6.0, 60.6.1, 60.6.2, 60.6.3, 60.7.0, 61.0, 61.0.1, 61.0.2, 62.0, 62.0.1, 62.0.2, 62.0.3, 63.0, 63.0.1, 63.0.3, 64.0, 64.0.1, 64.0.2, 65.0, 65.0.1, 65.0.2, 66.0, 66.0.1, 66.0.2, 66.0.3, 66.0.4, 66.0.5, 67.0, 67.0.1, 67.0.2, 67.0.3, 67.0.4, 68.0, 68.0.1, 68.0.2, 69.0, 69.0.1, 69.0.2, 69.0.3, 70.0, 70.0.1, 71.0, 72.0, 72.0.1, 72.0.2, 73.0, 73.0.1, 74.0, 74.0.1, 75.0, 76.0, 76.0.1, 77.0, 77.0.1, 78.0, 78.0.1, 78.0.2, 79.0, 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3

Firefox ESR: 60.0, 60.0.1, 60.0.2, 60.1.0, 60.2.0, 60.2.1, 60.2.2, 60.3.0, 60.4.0, 60.5.0, 60.5.1, 60.5.2, 60.6.0, 60.6.1, 60.6.2, 60.6.3, 60.7.0, 60.7.1, 60.7.2, 60.8.0, 60.9.0, 68.0, 68.0.1, 68.0.2, 68.1.0, 68.2.0, 68.3.0, 68.4.0, 68.4.1, 68.4.2, 68.5.0, 68.6.0, 68.6.1, 68.7.0, 68.8.0, 68.9.0, 68.10.0, 68.11.0, 68.12.0, 78.0, 78.0.1, 78.0.2, 78.1.0, 78.2.0, 78.3.0, 78.3.1, 78.4.0, 78.4.1

CPE