A flaw was found in Firefox versions before 54. When entered directly, Reader Mode did not strip the username and password section of URLs displayed in the address bar. This can be used for spoofing the domain of the current page. References: https://bugzilla.mozilla.org/show_bug.cgi?id=1358248 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/ Patch: https://bugzilla.mozilla.org/attachment.cgi?id=8868506&action=diff
Statement: Red Hat Product Security has rated this issue as having a security impact of Moderate, and a future update may address this flaw.
External References: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2112 https://access.redhat.com/errata/RHSA-2018:2112
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2113 https://access.redhat.com/errata/RHSA-2018:2113