First published: Wed May 09 2018(Updated: )
If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process' privileges, escaping the sandbox on content processes.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox | <60 | 60 |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =17.10 | |
Canonical Ubuntu Linux | =18.04 | |
Mozilla Firefox | <60.0 | |
debian/firefox | 131.0.3-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2018-5163 is a vulnerability that allows a malicious attacker to replace JavaScript code in the JavaScript Start-up Bytecode Cache (JSBC) in Mozilla Firefox.
CVE-2018-5163 allows attackers to execute arbitrary JavaScript code if the parent process runs the replaced code.
CVE-2018-5163 has a severity rating of 8.1 (High).
Mozilla Firefox versions up to and excluding 60.0 are affected by CVE-2018-5163.
Update to Mozilla Firefox version 60.0 or higher to fix CVE-2018-5163.