First published: Tue Dec 11 2018(Updated: )
A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript `location` property to cause a redirection to another site using `performance.getEntries()`. This is a same-origin policy violation and could allow for data theft. External Reference: <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18494">https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18494</a>
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Thunderbird | <60.4 | 60.4 |
Mozilla Firefox ESR | <60.4 | 60.4 |
Mozilla Firefox | <64 | 64 |
Mozilla Firefox | <64.0 | |
Mozilla Firefox ESR | <60.4.0 | |
Mozilla Thunderbird | <60.4.0 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Redhat Enterprise Linux Desktop | =6.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =6.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Server Aus | =7.6 | |
Redhat Enterprise Linux Server Eus | =7.6 | |
Redhat Enterprise Linux Server Tus | =7.6 | |
Redhat Enterprise Linux Workstation | =6.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
debian/firefox | 133.0.3-1 | |
debian/firefox-esr | 115.14.0esr-1~deb11u1 128.5.0esr-1~deb11u1 128.3.1esr-1~deb12u1 128.5.0esr-1~deb12u1 128.5.0esr-1 128.5.1esr-1 | |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.5.0esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.5.0esr-1~deb12u1 1:128.5.2esr-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2018-18494 is a vulnerability that allows the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries().
Mozilla Firefox (up to version 64), Mozilla Firefox ESR (up to version 60.4), and Mozilla Thunderbird (up to version 60.4) are affected by CVE-2018-18494.
CVE-2018-18494 has a severity rating of 6.5 (High).
Update Mozilla Firefox to version 64 or later, Mozilla Firefox ESR to version 60.4.1 or later, and Mozilla Thunderbird to version 60.4.1 or later to fix CVE-2018-18494.
You can find more information about CVE-2018-18494 on the Mozilla Bugzilla and Mozilla security advisories websites.