CVE-2018-5143

Published: 14 March 2018

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59.

Priority

Cvss 3 Severity Score

6.1

Score breakdown

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	upstream	Released (59.0)
	xenial	Released (59.0+build5-0ubuntu0.16.04.1)
	artful	Released (59.0+build5-0ubuntu0.17.10.1)
	bionic	Released (59.0.1+build1-0ubuntu1)
	trusty	Released (59.0+build5-0ubuntu0.14.04.1)

Severity score breakdown

Parameter	Value
Base score	6.1
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›