Mozilla Firefox ESR < 45.7 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9928

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 45.7 are unpatched for the following vulnerabilities :

- A flaw exists in JIT code allocation that may allow a context-dependent attacker to bypass the Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) protection mechanisms.
- A use-after-free error exists in the 'txExecutionState::getVariable()' function in 'dom/xslt/xslt/txExecutionState.cpp' that is triggered when handling XSL in XSLT documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists that is due to the program sharing hashed codes of JavaScripts objects between pages. This may allow a context-dependent attacker to gain access to potentially sensitive data by discovering the object's address through a pointer leak.
- A use-after-free error exists in the 'PresShell::FlushPendingNotifications()' function in 'layout/base/PresShell.cpp' that is triggered during DOM manipulation of SVG content. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists that is due to the JSON viewer in the Developer Tools insecurely creating communication channels for copying and viewing JSON or HTTP headers. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
- A flaw exists in the 'ICCallStubCompiler::guardFunApply()' function in 'js/src/jit/BaselineIC.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'IonBuilder::createThisScriptedSingleton()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'AddLazyFunctionsForCompartment()' function in 'js/src/jscompartment.cpp' that is triggered when handling references to a compartment's lazy functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::DefineTypedArrayElement()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'DataViewObject::create()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'IonBuilder::initEnvironmentChain()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the JavaScript JIT compiler that is triggered when handling windows. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsDOMConstructor::HasInstance()' function in 'dom/base/nsDOMClassInfo.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free flaw exists in the 'nsDocument::SetScriptGlobalObject()' function in 'dom/base/nsDocument.cpp' that is triggered when handling specially crafted media files. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists that is triggered during the handling of a specially crafted URL that contains certain unicode glyphs for alternative hyphens and quotes. This may allow a context-dependent attacker to spoof the location bar.
- A flaw exists that may allow WebExtension scripts to use the 'data: protocol' to affect pages loaded by other extensions. This may allow a context-dependent attacker to potentially disclose sensitive information or gain elevated privileges related to other extensions.

Solution

Upgrade to Firefox version 45.7 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-01

https://www.mozilla.org/en-US/security/advisories/mfsa2017-02

https://www.mozilla.org/en-US/security/advisories/mfsa2017-03

Plugin Details

Severity: High

ID: 9928

Family: Web Clients

Published: 1/31/2017

Updated: 11/6/2019

Nessus ID: 96775

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_esr

Patch Publication Date: 1/24/2016

Vulnerability Publication Date: 1/18/2017

Reference Information

CVE: CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396

BID: 95762, 95757