Prototype Pollution Vulnerability in Mozilla Firefox and Thunderbird
CVE-2022-1802

8.8HIGH

Key Information:

Vendor: Mozilla
Status: Firefox Esr; Firefox; Firefox For Android; Thunderbird
Vendor: CVE Published:; 22 December 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A security vulnerability exists in Mozilla Firefox and Thunderbird that allows an attacker to manipulate the methods of an Array object in JavaScript through prototype pollution. This manipulation could enable the execution of malicious JavaScript code in a privileged context, putting user data and security at risk. This affects specific versions of Firefox and Thunderbird, including Firefox ESR, Firefox for Android, and Thunderbird, requiring users to update to safer versions to mitigate potential exploitation.

Affected Version(s)

Firefox < 100.0.2

Firefox ESR < 91.9.1

Firefox for Android < 100.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-1802
Created by mistymntncop

References

https://www.mozilla.org/security/advisories/mfsa2022-19/

https://bugzilla.mozilla.org/show_bug.cgi?id=1770137

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2022
🟡
Public PoC available
Aug 20, 2022
👾
Exploit known to exist
Aug 20, 2022
Vulnerability Reserved
May 19, 2022