CVE-2018-12358 in Firefox
Summary
by MITRE
Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque. This vulnerability affects Firefox < 61.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/23/2020
This vulnerability in Firefox browsers represents a critical flaw in the service worker implementation that undermines cross-origin resource security mechanisms. The issue stems from how service workers handle redirection operations when processing cross-origin requests, creating an unexpected pathway for malicious actors to bypass intended security restrictions. When a service worker intercepts a cross-origin request and subsequently redirects it, the browser's tainting mechanism fails to properly mark the response as opaque, allowing the malicious site to access response data that should remain inaccessible due to cross-origin restrictions.
The technical exploitation of this vulnerability occurs through the manipulation of service worker registration and request interception processes. Service workers operate with elevated privileges and can intercept network requests, but in this specific case, the redirection logic does not properly maintain the security context that should prevent access to opaque responses. This failure creates a scenario where a malicious website can register a service worker that intercepts cross-origin requests, processes them through redirection operations, and then accesses the response data that would normally be restricted. The vulnerability specifically affects Firefox versions prior to 61, indicating that this was a targeted issue within the browser's service worker implementation that had not been properly addressed in earlier releases.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables sophisticated attacks that can compromise user privacy and data integrity. Attackers can leverage this flaw to construct malicious service workers that systematically access cross-origin resources that should be opaque, potentially extracting sensitive information from third-party domains. This capability undermines the fundamental security model that browsers implement to isolate origins and prevent unauthorized data access. The vulnerability creates a pathway for persistent cross-site data theft where attackers can maintain access to restricted resources across multiple browsing sessions, as service workers can remain active and continue intercepting requests.
The security implications align with CWE-200, which addresses "Information Exposure," and represents a failure in proper access control mechanisms. Additionally, this vulnerability maps to ATT&CK technique T1106, "Execution through API," as it involves the legitimate use of service worker APIs to achieve unauthorized access. The flaw demonstrates how legitimate browser features can be exploited when implementation details do not properly account for security boundaries. Organizations and users should prioritize updating to Firefox version 61 or later, where this vulnerability has been addressed through improved service worker redirection handling. The fix implemented by Mozilla likely involved stricter enforcement of opaque response handling during redirection operations, ensuring that cross-origin requests maintain their security context throughout the service worker lifecycle. This vulnerability underscores the complexity of modern web security implementations and the importance of thorough testing of edge cases in browser security models.