Bug 1149291 (CVE-2019-11748)

Summary: VUL-0: CVE-2019-11748: MozillaFirefox: Persistence of WebRTC permissions in a third party context
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Charles Robertson <cgrobertson>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241691/
Whiteboard: CVSSv2:NVD:CVE-2019-11748:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1149323, 1149324    
Bug Blocks:    

Description Alexander Bergmann 2019-09-04 06:48:36 UTC 
CVE-2019-11748: Persistence of WebRTC permissions in a third party context

Reporter   Jan-Ivar Bruaroey
Impact     moderate

Description
WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use.


References:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11748
https://bugzilla.mozilla.org/show_bug.cgi?id=1564588
https://bugzilla.redhat.com/show_bug.cgi?id=1748665
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11748
Comment 1 Alexandros Toptsoglou 2020-02-04 14:45:51 UTC 
Closing