CVE-2022-26384

Published: Dec 22, 2022Modified: Apr 16, 2025

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 6.0

Source: NVD

Description

If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

Affected (3)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 98.0
Mozilla Firefox Esr	Before 91.7
Mozilla Thunderbird	Before 91.7

Related CWEs

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References (8)

https://bugzilla.mozilla.org/show_bug.cgi?id=1744352

Source: security@mozilla.org

ExploitIssue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-10/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-11/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-12/

Source: security@mozilla.org

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1744352

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-10/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-11/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-12/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.