Уязвимость обхода защиты SameSite cookies через потерю происхождения запроса при перехвате "FetchEvent" в ServiceWorker в Firefox и Thunderbird
Описание
При перехвате запроса с помощью FetchEvent, происходящего в ServiceWorker, происходит потеря происхождения запроса после того, как ServiceWorker берет его под контроль. Это приводит к обходу защиты файлов cookie, использующих политику SameSite.
Затронутые версии ПО
- Firefox ESR до версии 102.5
- Thunderbird до версии 102.5
- Firefox до версии 107
Тип уязвимости
Обход защиты SameSite cookies
Ссылки
- Issue TrackingPermissions RequiredVendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Issue TrackingPermissions RequiredVendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Одно из
EPSS
6.5 Medium
CVSS3
Дефекты
Связанные уязвимости
When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
When a ServiceWorker intercepted a request with <code>FetchEvent</code ...
When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Уязвимость службы Service Workers браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю обойти существующие ограничения безопасности
EPSS
6.5 Medium
CVSS3