1625530 – (CVE-2018-12382) CVE-2018-12382 Mozilla: Addressbar spoofing with javascript URI on Firefox for Android

Bug 1625530 (CVE-2018-12382) - CVE-2018-12382 Mozilla: Addressbar spoofing with javascript URI on Firefox for Android

Summary: CVE-2018-12382 Mozilla: Addressbar spoofing with javascript URI on Firefox fo...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-12382
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1623023
TreeView+	depends on / blocked

Reported:	2018-09-05 07:15 UTC by Doran Moppert
Modified:	2021-02-16 23:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-13 04:56:38 UTC
Embargoed:

Attachments	(Terms of Use)

Description Doran Moppert 2018-09-05 07:15:11 UTC

The displayed addressbar URL can be spoofed on Firefox for Android using a `javascript:` URI in concert with JavaScript to insert text before the loaded domain name, scrolling the loaded domain out of view to the right. This can lead to user confusion. 

*This vulnerability only affects Firefox for Android.*



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12382

Comment 1 Doran Moppert 2018-09-05 07:15:15 UTC

Acknowledgments:

Name: the Mozilla project
Upstream: Jordi Chancel

Note You need to log in before you can comment on or make changes to this bug.