VYPR

Firefox

by Mozilla Corporation

Source repositories

CVEs (3,179)

  • CVE-2018-5114MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. This vulnerability affects Firefox < 58.

  • CVE-2018-5110MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    If cursor visibility is toggled by script using from 'none' to an image and back through script, the cursor will be rendered temporarily invisible within Firefox. Note: This vulnerability only affects OS X. Other operating systems are not affected. This vulnerability affects…

  • CVE-2018-5107MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file information…

  • CVE-2018-5106MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. This can allow style editor information used within Developer Tools to leak cross-origin. This…

  • CVE-2017-7842MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    If a document's Referrer Policy attribute is set to "no-referrer" sometimes two network requests are made for "" elements instead of one. One of these requests includes the referrer instead of respecting the set policy to not include a referrer on requests. This…

  • CVE-2017-7838MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    Punycode format text will be displayed for entire qualified international domain names in some instances when a sub-domain triggers the punycode display instead of the primary domain being displayed in native script and the sub-domain only displaying as punycode. This could be…

  • CVE-2017-7837MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    SVG loaded through "" tags can use "" tags within the SVG data to set cookies for that page. This vulnerability affects Firefox < 57.

  • CVE-2017-7833MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    Some Arabic and Indic vowel marker characters can be combined with Latin characters in a domain name to eclipse the non-Latin character with some font sets on the addressbar. The non-Latin character will not be visible to most viewers. This allows for domain spoofing attacks…

  • CVE-2017-7832MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed by the same accent as a second character with most font sets. This allows for…

  • CVE-2017-7831MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    A vulnerability where the security wrapper does not deny access to some exposed properties using the deprecated "_exposedProps_" mechanism on proxy objects. These properties should be explicitly unavailable to proxy objects. This vulnerability affects Firefox < 57.

  • CVE-2017-7825MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    Several fonts on OS X display some Tibetan and Arabic characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This…

  • CVE-2017-7823MedJun 11, 2018
    risk 0.35cvss 5.4epss 0.01

    The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This…

  • CVE-2017-7822MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects…

  • CVE-2017-7820MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    The "instanceof" operator can bypass the Xray wrapper mechanism. When called on web content from the browser itself or an extension the web content can provide its own result for that operator, possibly tricking the browser or extension into mishandling the element. This…

  • CVE-2017-7817MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    A spoofing vulnerability can occur when a page switches to fullscreen mode without user notification, allowing a fake address bar to be displayed. This allows an attacker to spoof which page is actually loaded and in use. Note: This attack only affects Firefox for Android. Other…

  • CVE-2017-7816MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56.

  • CVE-2017-7815MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the dialog's location, spoofing of the origin of the modal dialog from the user view. Note: This attack only affects installations…

  • CVE-2017-7812MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    If web content on a page is dragged onto portions of the browser UI, such as the tab bar, links can be opened that otherwise would not be allowed to open. This can allow malicious web content to open a locally stored file through "file:" URLs. This vulnerability affects Firefox…

  • CVE-2017-7808MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.01

    A content security policy (CSP) "frame-ancestors" directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information. This vulnerability affects Firefox < 55.

  • CVE-2017-7791MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox…

Page 84 of 159