CVE-2017-7843

high

Description

When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1.

References

https://www.mozilla.org/security/advisories/mfsa2017-28/

https://www.mozilla.org/security/advisories/mfsa2017-27/

https://www.debian.org/security/2017/dsa-4062

https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1410106

https://access.redhat.com/errata/RHSA-2017:3382

http://www.securitytracker.com/id/1039954

http://www.securityfocus.com/bid/102112

http://www.securityfocus.com/bid/102039

Details

Source: Mitre, NVD

Published: 2018-06-11

Updated: 2018-08-06

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High