CVE-2017-7843
moderate-risk
Published 2018-06-11
When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1.
Do I need to act?
~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (13)
References (18)
Issue Tracking
http://www.securityfocus.com/bid/102039
Third Party Advisory
http://www.securityfocus.com/bid/102112
Third Party Advisory
http://www.securitytracker.com/id/1039954
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3382
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html
Third Party Advisory
https://www.debian.org/security/2017/dsa-4062
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-27/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-28/
Issue Tracking
http://www.securityfocus.com/bid/102039
Third Party Advisory
http://www.securityfocus.com/bid/102112
Third Party Advisory
http://www.securitytracker.com/id/1039954
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3382
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html
Third Party Advisory
https://www.debian.org/security/2017/dsa-4062
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-27/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-28/
46
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
3/34 · Minimal
Exposure
17/34 · Moderate