Vulnerability Details : CVE-2017-5928
The W3C High Resolution Time API, as implemented in various web browsers, does not consider that memory-reference times can be measured by a performance.now "Time to Tick" approach even with the https://bugzilla.mozilla.org/show_bug.cgi?id=1167489#c9 protection mechanism in place, which makes it easier for remote attackers to conduct AnC attacks via crafted JavaScript code.
Products affected by CVE-2017-5928
- cpe:2.3:a:w3:high_resolution_time_api:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-5928
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-5928
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
2.2
|
1.4
|
NIST |
References for CVE-2017-5928
-
http://www.securityfocus.com/bid/97036
W3C High Resolution Time API CVE-2017-5928 Security VulnerabilityThird Party Advisory;VDB Entry
-
http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
Technical Description
-
https://www.vusec.net/projects/anc
AnC - VUSecThird Party Advisory
Jump to