CVE-2018-5143
Published: 14 March 2018
URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59.
Priority
CVSS 3 base score: 6.1
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
artful |
Released
(59.0+build5-0ubuntu0.17.10.1)
|
bionic |
Released
(59.0.1+build1-0ubuntu1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was released [59.0+build5-0ubuntu0.14.04.1])
|
|
upstream |
Released
(59.0)
|
|
xenial |
Released
(59.0+build5-0ubuntu0.16.04.1)
|