-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Security Updates for Mozilla Firefox and Firefox ESR
15 November 2017
AusCERT Security Bulletin Summary
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
CVE Names: CVE-2017-7842 CVE-2017-7840 CVE-2017-7839
CVE-2017-7838 CVE-2017-7837 CVE-2017-7836
CVE-2017-7835 CVE-2017-7834 CVE-2017-7833
CVE-2017-7832 CVE-2017-7831 CVE-2017-7830
CVE-2017-7828 CVE-2017-7827 CVE-2017-7826
Member content until: Friday, December 15 2017
Multiple vulnerabilities have been identified in Mozilla Firefox
prior to version 57 and Firefox ESR prior to version 52.5 [1,2]
Vulnerabilities affecting Firefox and Firefox ESR:
"#CVE-2017-7828: Use-after-free of PressShell while restyling layout
A use-after-free vulnerability can occur when flushing and resizing layout
because the PressShell object has been freed while still in use. This results in
a potentially exploitable crash during these operations.
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data theft
of URLs loaded by users.
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
Mozilla developers and community
Mozilla developers and community members Christian Holler, David Keeler, Jon
Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas
Nethercote, Oriol Brufau, AndrÃƒÂ© Bargull, Bob Clary, Jet Villegas, Randell Jesup,
Tyson Smith, Gary Kwong, and Ryan VanderMeulen reported memory safety bugs
present in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code." [1,2]
Vulnerabilities particular to Firefox:
A vulnerability where the security wrapper does not deny access to some exposed
properties using the deprecated exposedProps mechanism on proxy objects. These
properties should be explicitly unavailable to proxy objects.
#CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers
The combined, single character, version of the letter 'i' with any of the
potential accents in unicode, such as acute or grave, can be spoofed in the
addressbar by the dotless version of 'i' followed by the same accent as a second
character with most font sets. This allows for domain spoofing attacks because
these combined domain names do not display as punycode.
#CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters
Some Arabic and Indic vowel marker characters can be combined with Latin
characters in a domain name to eclipse the non-Latin character with some font
sets on the addressbar. The non-Latin character will not be visible to most
viewers. This allows for domain spoofing attacks because these combined domain
names do not display as punycode.
#CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections
A data: URL loaded in a new tab did not inherit the Content Security Policy
(CSP) of the original page, allowing for bypasses of the policy including the
the context of the original page this would allow for potential cross-site
scripting (XSS) attacks.
#CVE-2017-7835: Mixed content blocking incorrectly applies with redirects
Mixed content blocking of insecure (HTTP) sub-resources in a secure (HTTPS)
document was not correctly applied for resources that redirect from HTTPS to
HTTP, allowing content that should be blocked, such as scripts, to be loaded on
#CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X
The "pingsender" executable used by the Firefox Health Report dynamically
loads a system copy of libcurl, which an attacker could replace. This allows
for privilege escalation as the replaced libcurl code will run with Firefox's
Note: This attack requires an attacker have local system access and only affects
OS X and Linux. Windows systems are not affected.
#CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies
SVG loaded through <img> tags can use <meta> tags within the SVG data to set cookies for that page.
#CVE-2017-7838: Failure of individual decoding of labels in international domain
names triggers punycode display of entire IDN
Punycode format text will be displayed for entire qualified international domain
names in some instances when a sub-domain triggers the punycode display instead
of the primary domain being displayed in native script and the sub-domain only
displaying as punycode. This could be used for limited spoofing attacks due to
executed instead of being blocked. This could be used in social engineering and
self-cross-site-scripting (self-XSS) attacks where users are convinced to copy
and paste text into the addressbar.
#CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags
code into user-supplied tags in saved bookmarks. If the resulting exported HTML
be used in social engineering and self-cross-site-scripting (self-XSS) attacks
if users were convinced to add malicious tags to bookmarks, export them, and
then open the resulting file.
#CVE-2017-7842: Referrer Policy is not always respected for <link> elements
If a documentÃ¢Â€Â™s Referrer Policy attribute is set to "no-referrer" sometimes
two network requests are made for <link> elements instead of one. One of these
requests includes the referrer instead of respecting the set policy to not
include a referrer on requests.
#CVE-2017-7827: Memory safety bugs fixed in Firefox 57
Mozilla developers and community
Mozilla developers and community members Boris Zbarsky, Carsten Book, Christian
Holler, Byron Campen, Jan de Mooij, Jason Kratzer, Jesse Schwartzentruber,
Marcia Knous, Randell Jesup, Tyson Smith, and Ting-Yu Chou reported memory
safety bugs present in Firefox 56. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
Memory safety bugs fixed in Firefox 57" 
Users are advised to the upgrade to the latest versions to address
these issues. [1,2]
 Mozilla Foundation Security Advisory 2017-24
 Mozilla Foundation Security Advisory 2017-25
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----