#VU6356 Address bar spoofing in Mozilla Firefox


Published: 2017-04-20

Vulnerability identifier: #VU6356

Vulnerability risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5451

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to spoof browser address bar.

The vulnerability exists due to an error when processing onblur event. A remote attacker can spoof the addressbar through the user interaction on the addressbar and the onblur event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar.

This vulnerability affects only Firefox for Android.

Mitigation
Update to Firefox 53.

Vulnerable software versions

Mozilla Firefox: 52 - 52.0.2

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2017-10/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE Linux update for MozillaFirefox
SUSE Linux update for MozillaFirefox
Ubuntu update for Firefox
Red Hat update for Mozilla Thunderbird
Multiple vulnerabilities in Mozilla Thunderbird
Arch Linux update for firefox
Ubuntu update for Firefox
Multiple vulnerabilities in Mozilla Firefox