====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN375
_____________________________________________________________________

DATE                : 05/12/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Firefox versions prior to 57.0.1.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/
_____________________________________________________________________

Mozilla Foundation Security Advisory 2017-27

Security vulnerabilities fixed in Firefox 57.0.1

ANNOUNCED   November 29, 2017
IMPACT      CRITICAL
PRODUCTS    Firefox
FIXED IN    Firefox 57.0.1


#CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

REPORTER   Konark
IMPACT     HIGH


Description

When Private Browsing mode is used, it is possible for a web worker to
write persistent data to IndexedDB and fingerprint a user uniquely.
IndexedDB should not be available in Private Browsing mode and this
stored data will persist across multiple private browsing mode sessions
because it is not cleared when exiting.


References

Bug 1410106
#CVE-2017-7844: Visited history information leak through SVG image

REPORTER   Daniel Jackson
IMPACT     HIGH


Description

A combination of an external SVG image referenced on a page and the
coloring of anchor links stored within this image can be used to
determine which pages a user has in their history. This can allow a
malicious website to query user history.

Note: This issue only affects Firefox 57. Earlier releases are not
affected.

References

Bug 1420001

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================