Description
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
References (11)
Core 11
Core References
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2017-19/
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2017-20/
Exploit, Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1322896
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-3968
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2017-18/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2456
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100234
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2534
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039124
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201803-14
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-3928
Scores
CVSS v3
7.5
EPSS
0.0098
EPSS Percentile
77.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (22)
debian/debian_linux
8.0
debian/debian_linux
9.0
mozilla/firefox
< 55.0
mozilla/firefox_esr
< 52.3
mozilla/thunderbird
< 52.3
redhat/enterprise_linux
5.0
redhat/enterprise_linux
6.0
redhat/enterprise_linux
7.0
redhat/enterprise_linux_desktop
5.0
redhat/enterprise_linux_desktop
6.0
... and 12 more
Published
Jun 11, 2018
Tracked Since
Feb 18, 2026