漏洞类别:Local
漏洞等级: 
漏洞信息
Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android.
Multiple vulnerabilities were reported in Mozilla Firefox.Cross-origin URL information leak through Resource Timing API.Information disclosure of exposed properties on JavaScript proxy objects.Domain spoofing through use of dotless 'i' character followed by accent markers.URLs opened in new tabs bypass CSP protections.Pingsender dynamically loads libcurl on Linux and OS X.Control characters before javascript: URLs defeats self-XSS prevention mechanism.Exported bookmarks do not strip script elements from user-supplied tags.
Affected Versions:
Firefox prior to 57.0
Firefox ESR prior to 52.5
QID Detection Logic (Authenticated)
This QID checks for vulnerable versions of Firefox browser.
漏洞危害
Cross-origin URL information leak through Resource Timing API.
Information disclosure of exposed properties on JavaScript proxy objects.
Domain spoofing through use of dotless 'i' character followed by accent markers.
URLs opened in new tabs bypass CSP protections.
Pingsender dynamically loads libcurl on Linux and OS X.
Control characters before javascript: URLs defeats self-XSS prevention mechanism.
Exported bookmarks do not strip script elements from user-supplied tags.
解决方案
The vendor has issued a fix (57.0, 52.5ESR).
Refer to MFSA 2017-24 and MFSA 2017-25
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论