CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
92.7%
shutdown reports that scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to “read” into a privileged context. This allows the attacker the ability to run scripts with the full privelege of the user running the browser, possibly installing malware or snooping on private data. This has been fixed so that UniversalBrowserRead and UniversalBrowserWrite are limited to reading from and writing into only normally-privileged browser windows and frames.