Prototype Pollution Vulnerability in Firefox ESR and Thunderbird by Mozilla
CVE-2022-1529

8.8HIGH

Key Information:

Vendor: Mozilla
Status: Firefox Esr; Firefox; Firefox For Android; Thunderbird
Vendor: CVE Published:; 22 December 2022

Summary

A vulnerability exists in Mozilla's Firefox ESR, Firefox for Android, and Thunderbird products that allows an attacker to send specially crafted messages to the parent process. This can lead to double-indexing within a JavaScript object, resulting in prototype pollution. Consequently, this may enable attackers to execute arbitrary JavaScript code in the context of the privileged parent process, posing significant security risks to users.

Affected Version(s)

Firefox < 100.0.2

Firefox ESR < 91.9.1

Firefox for Android < 100.3.0

References

https://www.mozilla.org/security/advisories/mfsa2022-19/

https://bugzilla.mozilla.org/show_bug.cgi?id=1770048

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2022
Vulnerability Reserved
Apr 29, 2022