Security Advisory

CVE-2018-18497

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2019-02-28 18:00:00

Last updated 2024-08-05 11:08:21

Assigner mozilla

State PUBLISHED

Description

Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument. This could allow a malicious WebExtension to open privileged about: or file: locations. This vulnerability affects Firefox < 64.

← Browse all CVEs View on cve.org ↗