CVE-2020-26958

Summary

Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefox< 83affected
MozillaFirefox ESR< 78.5affected
MozillaThunderbird< 78.5affected

Weaknesses

  • Requests intercepted through ServiceWorkers lacked MIME type restrictions

ADP Enrichment

CVE Program Container

Additional References

References