CVE-2017-5389

Summary

WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 51affected

Weaknesses

  • WebExtensions can install additional add-ons via modified host requests

ADP Enrichment

CVE Program Container

Additional References

References