1443336 – (CVE-2017-5458) CVE-2017-5458 Mozilla: Drag and drop of javascript: URLs can allow for self-XSS (MFSA 2017-11)

Bug 1443336 (CVE-2017-5458) - CVE-2017-5458 Mozilla: Drag and drop of javascript: URLs can allow for self-XSS (MFSA 2017-11)

Summary: CVE-2017-5458 Mozilla: Drag and drop of javascript: URLs can allow for self-X...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-5458
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1437814
TreeView+	depends on / blocked

Reported:	2017-04-19 06:24 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-02-17 02:17 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-04-20 06:22:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description Huzaifa S. Sidhpurwala 2017-04-19 06:24:49 UTC

When a <code>javascript:</code> URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves.


External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5458


Acknowledgements:

Name: the Mozilla project
Upstream: Daniel Veditz

Note You need to log in before you can comment on or make changes to this bug.