CVE-2016-2830

MEDIUM

Mozilla Firefox < 47.0.1 - Information Disclosure

Title source: rule

Description

Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the associated browser window is closed, which makes it easier for remote web servers to track users by observing network traffic from multiple IP addresses.

References (11)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-1551.html

[Vendor Advisory] http://www.mozilla.org/security/announce/2016/mfsa2016-63.html

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036508

[Vendor Advisory] http://www.ubuntu.com/usn/USN-3044-1

[Issue Tracking, Permissions Required] https://bugzilla.mozilla.org/show_bug.cgi?id=1255270

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/92261

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3640

[Third Party Advisory] https://security.gentoo.org/glsa/201701-15

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html

Scores

CVSS v3 4.3

EPSS 0.0056

EPSS Percentile 67.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (5)

mozilla/firefox < 47.0.1

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

Timeline

Published Aug 05, 2016

Tracked Since Feb 18, 2026