Bug 1696138 (CVE-2018-18495)

Summary: CVE-2018-18495 firefox: WebExtension content scripts can be loaded in about: pages
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: 0xalen+redhat, anto.trande, gecko-bugs-nobody, jhorak, john.j5live, kengert, pjasicek, rhughes, rstrode, sandmann, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firefox 64 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-05 03:13:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1692767    

Description msiddiqu 2019-04-04 08:29:59 UTC 
WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions. This could allow an extension to interfere with the loading and usage of these pages and use capabilities that were intended to be restricted from extensions. This vulnerability affects Firefox < 64.

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1427585

External References: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18495