Mozilla Foundation Security Advisory 2018-05

Arbitrary code execution through unsanitized browser UI

Announced

January 29, 2018

Reporter

Johann Hofmann

Impact

Critical

Products

Firefox

Fixed in

• Firefox 58.0.1

Description

Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution.

This issue did not affect Firefox for Android or Firefox 52 ESR.

References

• Sanitize HTML fragments created for chrome-privileged documents (CVE-2018-5124)