Vulnerability Details : CVE-2017-7843
When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1.
Vulnerability category: Information leak
Products affected by CVE-2017-7843
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-7843
0.99%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-7843
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-7843
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-7843
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1410106
1410106 - (CVE-2017-7843) fingerprinting users in private window using web-worker + indexedDBExploit;Issue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html
[SECURITY] [DLA 1202-1] firefox-esr security updateThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2017-27/
Security vulnerabilities fixed in Firefox 57.0.1 — MozillaVendor Advisory
-
http://www.securitytracker.com/id/1039954
Mozilla Firefox Flaws Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.debian.org/security/2017/dsa-4062
Debian -- Security Information -- DSA-4062-1 firefox-esrThird Party Advisory
-
http://www.securityfocus.com/bid/102112
Mozilla Firefox ESR CVE-2017-7843 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/102039
Mozilla Firefox MFSA2017-27 Multiple Security VulnerabilitiesIssue Tracking;Third Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:3382
RHSA-2017:3382 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2017-28/
Security vulnerabilities fixed in Firefox ESR 52.5.2 — MozillaVendor Advisory
Jump to