VulnerableCode Package Details - pkg:alpm/archlinux/firefox@57.0-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2xza-hhmr-5ybw	Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code.	CVE-2017-7826
VCID-4437-azu7-hyhb	Some Arabic and Indic vowel marker characters can be combined with Latin characters in a domain name to eclipse the non-Latin character with some font sets on the addressbar. The non-Latin character will not be visible to most viewers. This allows for domain spoofing attacks because these combined domain names do not display as punycode.	CVE-2017-7833
VCID-6a4w-c6p8-affn	Control characters prepended before javascript: URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar.	CVE-2017-7839
VCID-7xac-5zdj-9fgk	Mozilla developers and community members Boris Zbarsky, Carsten Book, Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer, Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith, and Ting-Yu Chou reported memory safety bugs present in Firefox 56. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.	CVE-2017-7827
VCID-bk86-keag-kfg8	Mixed content blocking of insecure (HTTP) sub-resources in a secure (HTTPS) document was not correctly applied for resources that redirect from HTTPS to HTTP, allowing content that should be blocked, such as scripts, to be loaded on a page.	CVE-2017-7835
VCID-dhyh-m8p3-ebdq	SVG loaded through <img> tags can use <meta> tags within the SVG data to set cookies for that page.	CVE-2017-7837
VCID-e4pk-uyeh-xfgk	The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed by the same accent as a second character with most font sets. This allows for domain spoofing attacks because these combined domain names do not display as punycode.	CVE-2017-7832
VCID-ebzs-h9p8-tbb4	Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code.	CVE-2017-7830
VCID-gkrs-1aat-efhf	A data: URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when data: documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks.	CVE-2017-7834
VCID-ka31-epgw-2kcq	Punycode format text will be displayed for entire qualified international domain names in some instances when a sub-domain triggers the punycode display instead of the primary domain being displayed in native script and the sub-domain only displaying as punycode. This could be used for limited spoofing attacks due to user confusion.	CVE-2017-7838
VCID-kg3p-hut6-47f6	A vulnerability where the security wrapper does not deny access to some exposed properties using the deprecated _exposedProps_ mechanism on proxy objects. These properties should be explicitly unavailable to proxy objects.	CVE-2017-7831
VCID-qc2y-5tzg-ruav	JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks if users were convinced to add malicious tags to bookmarks, export them, and then open the resulting file.	CVE-2017-7840
VCID-wwjw-cqjk-8qe2	Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code.	CVE-2017-7828
VCID-xn3a-bun2-vkhy	If a document’s Referrer Policy attribute is set to "no-referrer" sometimes two network requests are made for <link> elements instead of one. One of these requests includes the referrer instead of respecting the set policy to not include a referrer on requests.	CVE-2017-7842
VCID-y92g-afff-2ua7	The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected.	CVE-2017-7836

Vulnerability

Summary

Aliases

VCID-2xza-hhmr-5ybw

Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code.

CVE-2017-7826

VCID-4437-azu7-hyhb

Some Arabic and Indic vowel marker characters can be combined with Latin characters in a domain name to eclipse the non-Latin character with some font sets on the addressbar. The non-Latin character will not be visible to most viewers. This allows for domain spoofing attacks because these combined domain names do not display as punycode.

CVE-2017-7833

VCID-6a4w-c6p8-affn

Control characters prepended before javascript: URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar.

CVE-2017-7839

VCID-7xac-5zdj-9fgk

Mozilla developers and community members Boris Zbarsky, Carsten Book, Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer, Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith, and Ting-Yu Chou reported memory safety bugs present in Firefox 56. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

CVE-2017-7827

VCID-bk86-keag-kfg8

Mixed content blocking of insecure (HTTP) sub-resources in a secure (HTTPS) document was not correctly applied for resources that redirect from HTTPS to HTTP, allowing content that should be blocked, such as scripts, to be loaded on a page.

CVE-2017-7835

VCID-dhyh-m8p3-ebdq

SVG loaded through <img> tags can use <meta> tags within the SVG data to set cookies for that page.

CVE-2017-7837

VCID-e4pk-uyeh-xfgk

The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed by the same accent as a second character with most font sets. This allows for domain spoofing attacks because these combined domain names do not display as punycode.

CVE-2017-7832

VCID-ebzs-h9p8-tbb4

Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code.

CVE-2017-7830

VCID-gkrs-1aat-efhf

A data: URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when data: documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks.

CVE-2017-7834

VCID-ka31-epgw-2kcq

Punycode format text will be displayed for entire qualified international domain names in some instances when a sub-domain triggers the punycode display instead of the primary domain being displayed in native script and the sub-domain only displaying as punycode. This could be used for limited spoofing attacks due to user confusion.

CVE-2017-7838

VCID-kg3p-hut6-47f6

A vulnerability where the security wrapper does not deny access to some exposed properties using the deprecated _exposedProps_ mechanism on proxy objects. These properties should be explicitly unavailable to proxy objects.

CVE-2017-7831

VCID-qc2y-5tzg-ruav

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks if users were convinced to add malicious tags to bookmarks, export them, and then open the resulting file.

CVE-2017-7840

VCID-wwjw-cqjk-8qe2

Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code.

CVE-2017-7828

VCID-xn3a-bun2-vkhy

If a document’s Referrer Policy attribute is set to "no-referrer" sometimes two network requests are made for <link> elements instead of one. One of these requests includes the referrer instead of respecting the set policy to not include a referrer on requests.

CVE-2017-7842

VCID-y92g-afff-2ua7

The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. *Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected.*

CVE-2017-7836

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-07T13:59:09.742695+00:00	Arch Linux Importer	Fixing	VCID-2xza-hhmr-5ybw	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.730886+00:00	Arch Linux Importer	Fixing	VCID-7xac-5zdj-9fgk	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.718954+00:00	Arch Linux Importer	Fixing	VCID-wwjw-cqjk-8qe2	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.705230+00:00	Arch Linux Importer	Fixing	VCID-ebzs-h9p8-tbb4	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.692062+00:00	Arch Linux Importer	Fixing	VCID-kg3p-hut6-47f6	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.677799+00:00	Arch Linux Importer	Fixing	VCID-e4pk-uyeh-xfgk	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.665916+00:00	Arch Linux Importer	Fixing	VCID-4437-azu7-hyhb	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.650605+00:00	Arch Linux Importer	Fixing	VCID-gkrs-1aat-efhf	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.637704+00:00	Arch Linux Importer	Fixing	VCID-bk86-keag-kfg8	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.626080+00:00	Arch Linux Importer	Fixing	VCID-y92g-afff-2ua7	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.611404+00:00	Arch Linux Importer	Fixing	VCID-dhyh-m8p3-ebdq	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.596212+00:00	Arch Linux Importer	Fixing	VCID-ka31-epgw-2kcq	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.581452+00:00	Arch Linux Importer	Fixing	VCID-6a4w-c6p8-affn	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.566986+00:00	Arch Linux Importer	Fixing	VCID-qc2y-5tzg-ruav	https://security.archlinux.org/AVG-494	38.1.0
2026-04-07T13:59:09.551805+00:00	Arch Linux Importer	Fixing	VCID-xn3a-bun2-vkhy	https://security.archlinux.org/AVG-494	38.1.0
2026-04-01T18:24:40.734343+00:00	Arch Linux Importer	Fixing	VCID-2xza-hhmr-5ybw	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.709069+00:00	Arch Linux Importer	Fixing	VCID-7xac-5zdj-9fgk	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.683559+00:00	Arch Linux Importer	Fixing	VCID-wwjw-cqjk-8qe2	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.657823+00:00	Arch Linux Importer	Fixing	VCID-ebzs-h9p8-tbb4	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.630014+00:00	Arch Linux Importer	Fixing	VCID-kg3p-hut6-47f6	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.605290+00:00	Arch Linux Importer	Fixing	VCID-e4pk-uyeh-xfgk	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.579006+00:00	Arch Linux Importer	Fixing	VCID-4437-azu7-hyhb	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.555135+00:00	Arch Linux Importer	Fixing	VCID-gkrs-1aat-efhf	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.528696+00:00	Arch Linux Importer	Fixing	VCID-bk86-keag-kfg8	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.504834+00:00	Arch Linux Importer	Fixing	VCID-y92g-afff-2ua7	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.477056+00:00	Arch Linux Importer	Fixing	VCID-dhyh-m8p3-ebdq	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.450974+00:00	Arch Linux Importer	Fixing	VCID-ka31-epgw-2kcq	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.420788+00:00	Arch Linux Importer	Fixing	VCID-6a4w-c6p8-affn	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.393296+00:00	Arch Linux Importer	Fixing	VCID-qc2y-5tzg-ruav	https://security.archlinux.org/AVG-494	38.0.0
2026-04-01T18:24:40.364545+00:00	Arch Linux Importer	Fixing	VCID-xn3a-bun2-vkhy	https://security.archlinux.org/AVG-494	38.0.0

2026-04-07T13:59:09.742695+00:00

Arch Linux Importer

Fixing