CVE-2017-5389

Published: 25 January 2017

WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51.

Priority

CVSS 3 base score: 6.1

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	Upstream	Released (51)





	Ubuntu 16.04 ESM (Xenial Xerus)	Released (51.0.1+build2-0ubuntu0.16.04.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [51.0.1+build2-0ubuntu0.14.04.1])
thunderbird Launchpad, Ubuntu, Debian	Upstream	Not vulnerable





	Ubuntu 16.04 ESM (Xenial Xerus)	Not vulnerable
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was not-affected)

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2017-5389

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading