CVE-2017-7843 : When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprin

When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting. This vulnerability affects Firefox ESR < 52.5.2 and Firefox < 57.0.1.

Published 2018-06-11 21:29:12

Updated 2018-08-06 16:35:17

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2017-7843

Probability of exploitation activity in the next 30 days: 0.55%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-7843

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-7843

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-7843

https://bugzilla.mozilla.org/show_bug.cgi?id=1410106

1410106 - (CVE-2017-7843) fingerprinting users in private window using web-worker + indexedDB
Exploit;Issue Tracking;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html

[SECURITY] [DLA 1202-1] firefox-esr security update
Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-27/

Security vulnerabilities fixed in Firefox 57.0.1 — Mozilla
Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1039954

Mozilla Firefox Flaws Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://www.debian.org/security/2017/dsa-4062

Debian -- Security Information -- DSA-4062-1 firefox-esr
Third Party Advisory
http://www.securityfocus.com/bid/102112

Mozilla Firefox ESR CVE-2017-7843 Security Bypass Vulnerability
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/102039

Mozilla Firefox MFSA2017-27 Multiple Security Vulnerabilities
Issue Tracking;Third Party Advisory;VDB Entry

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3382

RHSA-2017:3382 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-28/

Security vulnerabilities fixed in Firefox ESR 52.5.2 — Mozilla
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2017-7843

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox
Versions before (<) 57.0.1
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr
Versions before (<) 52.5.2
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2017-7843

Exploit prediction scoring system (EPSS) score for CVE-2017-7843

CVSS scores for CVE-2017-7843

CWE ids for CVE-2017-7843

References for CVE-2017-7843

Products affected by CVE-2017-7843