CVE-2018-12397 in Firefox
Summary
by MITRE
A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/26/2025
This vulnerability represents a significant bypass of Firefox's security model for WebExtensions, specifically targeting the permission system that should protect users from unauthorized access to their local filesystem. The flaw resides in the browser's handling of local file access permissions, where extensions can request access to local files without displaying the critical warning prompt that normally informs users about broad website access permissions. This represents a direct violation of the principle of least privilege and user consent that forms the foundation of modern browser security architectures. The vulnerability is particularly concerning because it undermines the fundamental trust model between users and browser extensions, allowing malicious actors to silently access local files without user awareness.
The technical implementation of this flaw involves the WebExtensions API's handling of local file access requests. When a local file is opened in Firefox, the browser should present a clear warning to users about potential extension access, but this warning mechanism fails to activate properly for certain extension requests. The vulnerability affects the permission prompt system specifically, where the "Access your data for all websites" warning is bypassed when extensions attempt to run content scripts on local pages. This occurs due to improper validation of the context in which extensions request file access, particularly when dealing with file:// URLs and local page execution contexts.
The operational impact of this vulnerability extends beyond simple data access, as it enables sophisticated attack vectors that can leverage the bypassed permission system. Attackers can craft malicious extensions that silently read local files, potentially accessing sensitive user data, configuration files, or personal documents without any user notification. The vulnerability is particularly dangerous in targeted attacks where attackers can use this to harvest credentials stored in local files or access sensitive information from local storage. This flaw allows for persistent access to local resources that should otherwise require explicit user consent, creating a backdoor for data exfiltration and further exploitation. The impact is amplified because the bypass occurs at the browser level, making it difficult for users to detect unauthorized access attempts.
Mitigation strategies for this vulnerability involve both immediate patching and operational security improvements. Organizations should prioritize updating Firefox installations to versions 60.3 ESR or 63.0 and later, which contain the necessary fixes for the permission bypass. System administrators should implement monitoring for suspicious extension behavior and maintain strict control over extension installation processes. The vulnerability highlights the importance of proper permission validation in browser security models and demonstrates how seemingly minor flaws in permission systems can create significant security risks. Security teams should also consider implementing extension whitelisting policies and regular security audits of installed extensions to prevent exploitation of similar permission bypass vulnerabilities. This issue aligns with CWE-693, which deals with protection mechanism failures, and represents a clear violation of the principle of user consent in the ATT&CK framework's defense evasion tactics.