Описание
Microsoft Edge Information Disclosure Vulnerability
An information disclosure vulnerability exists in Microsoft Edge that allows JavaScript XML DOM objects to detect installed browser extensions.
To exploit the vulnerability, in a web-based attack scenario, an attacker could host a malicious website in an attempt to make a user visit it. However, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site.
An attacker who successfully exploited the vulnerability could potentially read data not intended to be disclosed. Note that the vulnerability would not allow an attacker to either execute code or elevate a user’s rights directly, but the vulnerability could be used to obtain information in an attempt to further compromise the affected system.
The security update addresses the vulnerability by restricting what information is returned to Microsoft Edge by affected JavaScript object methods.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for 32-bit Systems | ||
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for x64-based Systems | ||
| Microsoft Edge (EdgeHTML-based) on Windows Server 2016 | ||
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1703 for 32-bit Systems | ||
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1703 for x64-based Systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 allows an attacker to read data not intended to be disclosed when Edge allows JavaScript XML DOM objects to detect installed browser extensions, aka "Microsoft Edge Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-8504.
Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 allows an attacker to read data not intended to be disclosed when Edge allows JavaScript XML DOM objects to detect installed browser extensions, aka "Microsoft Edge Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-8504.
EPSS
4.3 Medium
CVSS3