CVE-2017-7843: Infoleak
First published: Wed Nov 29 2017(Updated: )
When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <57.0.1 | 57.0.1 |
| <57.0.1 | 57.0.1 | |
| <52.5.2 | 52.5.2 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Mozilla Firefox | <57.0.1 | |
| Mozilla Firefox ESR | <52.5.2 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.4 | |
| Redhat Enterprise Linux Server Eus | =7.4 | |
| Redhat Enterprise Linux Server Eus | =7.5 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| debian/firefox | 118.0.2-1 | |
| debian/firefox-esr | 91.12.0esr-1~deb10u1 115.3.1esr-1~deb10u1 102.15.0esr-1~deb11u1 115.3.1esr-1~deb11u1 102.15.1esr-1~deb12u1 115.3.0esr-1~deb12u1 115.3.0esr-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1410106
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7843
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/
- http://www.securityfocus.com/bid/102039
- http://www.securityfocus.com/bid/102112
- http://www.securitytracker.com/id/1039954
- https://access.redhat.com/errata/RHSA-2017:3382
- https://lists.debian.org/debian-lts-announce/2017/12/msg00003.html
- https://www.debian.org/security/2017/dsa-4062
- https://www.mozilla.org/security/advisories/mfsa2017-27/
- https://www.mozilla.org/security/advisories/mfsa2017-28/
- https://bugzilla.redhat.com/show_bug.cgi?id=1518566
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7843
- https://security-tracker.debian.org/tracker/CVE-2017-7843
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2017-7843?
CVE-2017-7843 is a vulnerability that allows a web worker to write persistent data to IndexedDB in Private Browsing mode, potentially fingerprinting a user uniquely.
Which software is affected by CVE-2017-7843?
Mozilla Firefox versions up to 57.0.1, Mozilla Firefox ESR versions up to 52.5.2, and Debian versions including 118.0.2-1 and certain packages of Firefox-esr are affected by CVE-2017-7843.
What is the severity level of CVE-2017-7843?
CVE-2017-7843 has a severity level of high with a severity value of 7.
How can I fix CVE-2017-7843?
To fix CVE-2017-7843, update Mozilla Firefox to version 57.0.1 or later, Mozilla Firefox ESR to version 52.5.2 or later, or update the affected Debian packages to their respective patched versions.
Where can I find more information about CVE-2017-7843?
You can find more information about CVE-2017-7843 on the following references: [1] [2] [3].
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7843
- agent/softwarecombine
- agent/severity
- agent/weakness
- agent/author
- agent/references
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/description
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- agent/trending
- package-manager/debian
- vendor/mozilla
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.4
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.4
- version/redhat enterprise linux server eus/7.5
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0