CVE-2022-1802 in Firefox
Summary
by MITRE • 12/22/2022
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/01/2025
This vulnerability represents a critical prototype pollution flaw in JavaScript engines that enables attackers to manipulate object prototypes and execute arbitrary code in privileged contexts. The issue stems from insufficient validation mechanisms within the JavaScript engine's handling of array object methods, allowing malicious actors to corrupt prototype chains through carefully crafted inputs. When an attacker successfully pollutes the Array prototype, they can inject malicious code that executes with elevated privileges, potentially compromising the entire browser environment. The vulnerability affects multiple Mozilla products including Firefox Extended Support Release, regular Firefox versions, Firefox for Android, and Thunderbird, indicating a widespread impact across the Mozilla ecosystem. This type of vulnerability falls under the CWE-471 category of "Modification of Assumed-Immutable Data" and represents a significant threat to web application security.
The technical implementation of this flaw involves exploiting the way JavaScript engines handle prototype inheritance and object method resolution. When an attacker can manipulate the prototype chain of Array objects, they can inject malicious functions that get executed during normal array operations. The vulnerability specifically targets the JavaScript engine's prototype pollution defenses, allowing attackers to modify core object methods such as forEach, map, or other array iteration functions. This enables a form of code injection where the attacker-controlled code executes within the same security context as legitimate browser operations, bypassing typical sandboxing mechanisms. The attack vector typically involves supplying malformed data that gets processed through array methods, which then modifies the prototype chain in ways that lead to code execution. This aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript" and T1566.002 for "Phishing: Spearphishing Attachment" as attackers often leverage these vulnerabilities through malicious attachments or compromised websites.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete browser compromise and potential data exfiltration. When successfully exploited, attackers can access sensitive user data, perform actions on behalf of the user, and potentially escalate privileges within the browser environment. The affected versions represent a significant portion of deployed browser installations, making this vulnerability particularly dangerous in real-world scenarios. Organizations using these vulnerable versions face risks of targeted attacks where adversaries can leverage this flaw to gain persistent access to user systems. The privilege escalation aspect of this vulnerability means that even if users are operating with standard privileges, the executed code can operate with the full permissions of the browser process. This creates a pathway for attackers to access cookies, local storage, and other browser data that may contain sensitive information. The vulnerability's presence in both desktop and mobile browser versions increases the attack surface significantly, as users may be targeted across multiple platforms.
Mitigation strategies for this vulnerability primarily involve immediate software updates to patched versions of the affected browsers. Users should upgrade to Firefox ESR 91.9.1, Firefox 100.0.2, Firefox for Android 100.3.0, and Thunderbird 91.9.1 to address the prototype pollution issue. Additionally, organizations should implement network-based protections such as content security policies that restrict script execution and monitor for suspicious prototype modifications. Browser security configurations should be hardened by disabling unnecessary JavaScript features and implementing strict sandboxing measures. Security teams should also consider deploying intrusion detection systems that can identify patterns associated with prototype pollution attacks. Regular security assessments and vulnerability scanning should be performed to identify systems running vulnerable versions. The fix implemented by Mozilla addresses the root cause by strengthening the validation of object method modifications and improving the protection of core prototype objects. Organizations should also implement user education programs to reduce the risk of exploitation through social engineering attacks that may leverage this vulnerability. Patch management processes should be prioritized for these specific versions to ensure rapid deployment of security fixes across all affected systems.