CVE-2017-7843

high

Description

When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1.

References

https://access.redhat.com/errata/RHSA-2017:3382

https://bugzilla.mozilla.org/show_bug.cgi?id=1410106

https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html

https://www.debian.org/security/2017/dsa-4062

https://www.mozilla.org/security/advisories/mfsa2017-27/

https://www.mozilla.org/security/advisories/mfsa2017-28/

http://www.securitytracker.com/id/1039954

Details

Source: Mitre, NVD

Published: 2018-06-11

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High