CVE-2018-18499 in Firefox
Summary
by MITRE
A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/13/2020
This vulnerability represents a critical security flaw in web browsers that undermines the fundamental same-origin policy mechanisms designed to protect user data and prevent unauthorized cross-origin information disclosure. The issue manifests when a malicious website employs a meta http-equiv="refresh" tag to redirect users to another domain while simultaneously leveraging the performance.getEntries() API to capture URL information from the original page. This creates an unintended pathway for attackers to bypass browser security boundaries and access cross-origin data that should remain isolated within its originating domain.
The technical exploitation occurs through the manipulation of browser performance APIs that are typically restricted to same-origin contexts. When a page with a refresh meta tag redirects users to a different origin, the performance.getEntries() method can still access certain performance timing data from the previous page, including URL entries that may contain sensitive information about the user's browsing history or navigation patterns. This violation directly contravenes the core security principle that browsers enforce to isolate resources from different origins, effectively creating a data leakage channel between domains that should remain separated.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables sophisticated reconnaissance attacks that can map user navigation patterns and potentially identify sensitive browsing activities. Attackers can construct detailed profiles of user behavior by collecting performance data from multiple origins, which could then be used for targeted phishing campaigns, social engineering attacks, or to build comprehensive user fingerprinting profiles. This capability particularly affects web applications that handle sensitive data or operate in environments where user privacy is paramount.
Browser vendors have addressed this vulnerability through updates to Firefox, Firefox ESR, and Thunderbird, with affected versions requiring immediate patching to restore proper same-origin policy enforcement. The mitigation strategy involves strengthening the isolation mechanisms around performance APIs to prevent cross-origin data access even when redirection occurs through meta tags. This vulnerability aligns with CWE-200, which addresses improper exposure of sensitive information, and represents a specific implementation weakness in browser security controls that could be exploited through the ATT&CK technique of Credential Access through Web Application Firewall Evasion. Organizations should prioritize updating affected browser versions and implementing additional monitoring to detect potential exploitation attempts, as this type of vulnerability can serve as a reconnaissance tool for more sophisticated attacks targeting user privacy and data integrity.