| CVE-2017-7842 |
Low |
Yes |
Information disclosure |
If a document’s Referrer Policy attribute is set to "no-referrer" sometimes two network requests are made for <link> elements instead of one in Firefox... |
| CVE-2017-7840 |
Low |
No |
Cross-site scripting |
JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks in Firefox before 57.0. If... |
| CVE-2017-7839 |
Low |
Yes |
Cross-site scripting |
Control characters prepended before javascript: URLs pasted in the addressbar in Firefox before 57.0 can cause the leading characters to be ignored and the... |
| CVE-2017-7838 |
Low |
Yes |
Content spoofing |
Punycode format text in Firefox before 57.0 will be displayed for entire qualified international domain names in some instances when a sub-domain triggers... |
| CVE-2017-7837 |
Medium |
Yes |
Same-origin policy bypass |
SVG loaded through <img> tags in Firefox before 57.0 can use <meta> tags within the SVG data to set cookies for that page. |
| CVE-2017-7836 |
Medium |
No |
Privilege escalation |
The "pingsender" executable used by the Firefox Health Report before 57.0 dynamically loads a system copy of libcurl, which an attacker could replace. This... |
| CVE-2017-7835 |
Medium |
Yes |
Access restriction bypass |
Mixed content blocking of insecure (HTTP) sub-resources in a secure (HTTPS) document was not correctly applied for resources that redirect from HTTPS to... |
| CVE-2017-7834 |
Medium |
Yes |
Access restriction bypass |
A data: URL loaded in a new tab of Firefox before 57.0 did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the... |
| CVE-2017-7833 |
Medium |
Yes |
Content spoofing |
Some Arabic and Indic vowel marker characters can be combined with Latin characters in a domain name to eclipse the non-Latin character with some font sets... |
| CVE-2017-7832 |
Medium |
Yes |
Content spoofing |
The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the... |
| CVE-2017-7831 |
Medium |
Yes |
Information disclosure |
A vulnerability has been found in Firefox before 57.0 where the security wrapper does not deny access to some exposed properties using the deprecated... |
| CVE-2017-7830 |
High |
Yes |
Same-origin policy bypass |
The Resource Timing API in Firefox before 57.0 and Thunderbird before 52.5 incorrectly revealed navigations in cross-origin iframes. This is a same-origin... |
| CVE-2017-7828 |
Critical |
Yes |
Arbitrary code execution |
A use-after-free vulnerability can occur in Firefox before 57.0 and Thunderbird before 52.5 when flushing and resizing layout because the PressShell object... |
| CVE-2017-7827 |
Critical |
Yes |
Arbitrary code execution |
Several memory safety bugs have been found in Firefox before 57.0. Some of these bugs showed evidence of memory corruption and with enough effort some of... |
| CVE-2017-7826 |
Critical |
Yes |
Arbitrary code execution |
Several reported memory safety bugs have been found in Firefox before 57.0 and Thunderbird before 52.5. Some of these bugs showed evidence of memory... |