CVE-2018-5143

Published: 14 March 2018

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59.

Priority

Low

CVSS 3 base score: 6.1

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (59.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (59.0.1+build1-0ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (59.0+build5-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [59.0+build5-0ubuntu0.14.04.1])