CVE-2018-5133

Summary

If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This stored preference is also executed whenever an EME video player plugin displays a CDM-disabled message as a notification message. This vulnerability affects Firefox < 59.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 59affected

Weaknesses

  • Value of the app.support.baseURL preference is not properly sanitized

ADP Enrichment

CVE Program Container

Additional References

References