CVE-2016-5279

Vulnerability

Mozilla Firefox before version 49 allows user-assisted remote attackers to obtain sensitive path information through a drag-and-drop operation. When a user drags a file from the local file system (e.g., Windows Explorer, GNOME Files) into a web page, crafted JavaScript code can retrieve the full local file path via dataTransfer.getData("text/x-moz-url") and other clipboard types [1]. The bug is in the DOM Copy & Paste and Drag & Drop component [1].

Exploitation

An attacker needs to host a malicious web page that listens for the drop event and calls event.dataTransfer.getData("text/x-moz-url"). The user must then drag a file from their file manager and drop it onto the attacker's page. No other authentication or network position is required; the attack is purely user-assisted [1].

Impact

On successful exploitation, the attacker learns the full local path of the dragged file. This is a disclosure of sensitive information (full pathname), which can aid in profiling the user's system and potentially be combined with other vulnerabilities for further attacks. The impact is limited to information disclosure and does not grant code execution or privilege escalation.

Mitigation

Firefox 49, released on September 20, 2016, fixes this vulnerability [2]. Users should update to Firefox 49 or later. Gentoo Linux users should upgrade to Firefox 45.6.0 or later [3]. No workarounds are available for earlier versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.