WebExtensions CSP Bypass and Unauthorized Extension Installation in Firefox < 51

WebExtensions CSP Bypass and Unauthorized Extension Installation in Firefox < 51

CVE-2017-5389 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:N

WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51.

Learn more about our Api Penetration Testing.