Bug 1072034 (CVE-2017-7843)

Summary: VUL-0: CVE-2017-7843: MozillaFirefox: Web worker in Private Browsing mode can write IndexedDB data
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Petr Cerny <pcerny>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: pcerny, suse, wolfgang
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/196080/
Whiteboard: CVSSv2:SUSE:CVE-2017-7843:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3:SUSE:CVE-2017-7843:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Andreas Stieger 2017-12-09 20:13:48 UTC 
from https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/
from https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/

- CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting.
References

bmo#1410106

Fixed in 57.0.1, 52.5.2 ESR

Already fixed in Factory, amending changelog.
Comment 2 Bernhard Wiedemann 2017-12-10 12:50:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1072034) was mentioned in
https://build.opensuse.org/request/show/555659 42.2+42.3 / MozillaFirefox
Comment 3 Bernhard Wiedemann 2017-12-11 09:10:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1072034) was mentioned in
https://build.opensuse.org/request/show/555866 Factory / MozillaFirefox
Comment 4 Swamp Workflow Management 2017-12-12 20:08:41 UTC 
openSUSE-SU-2017:3272-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1072034
CVE References: CVE-2017-7843
Sources used:
openSUSE Leap 42.3 (src):    MozillaFirefox-52.5.2-69.1
openSUSE Leap 42.2 (src):    MozillaFirefox-52.5.2-57.24.1
Comment 6 Marcus Meissner 2019-07-18 07:23:04 UTC 
fixed in our current ESR streams