Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-7vkm-ukkg-mfez
Vulnerability ID VCID-7vkm-ukkg-mfez
Aliases CVE-2020-15653
Summary Mozilla developer Anne van Kesteren discovered that <iframe sandbox> with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-276 Incorrect Default Permissions
System Score Found at
cvssv3 6.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15653.json
epss 0.00284 https://api.first.org/data/v1/epss?cve=CVE-2020-15653
cvssv3.1 4.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
archlinux High https://security.archlinux.org/AVG-1213
archlinux High https://security.archlinux.org/AVG-1214
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2020-30
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2020-32
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2020-33
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15653.json
https://api.first.org/data/v1/epss?cve=CVE-2020-15653
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1861645 https://bugzilla.redhat.com/show_bug.cgi?id=1861645
AVG-1213 https://security.archlinux.org/AVG-1213
AVG-1214 https://security.archlinux.org/AVG-1214
mfsa2020-30 https://www.mozilla.org/en-US/security/advisories/mfsa2020-30
mfsa2020-32 https://www.mozilla.org/en-US/security/advisories/mfsa2020-32
mfsa2020-33 https://www.mozilla.org/en-US/security/advisories/mfsa2020-33
RHSA-2020:3555 https://access.redhat.com/errata/RHSA-2020:3555
RHSA-2020:3557 https://access.redhat.com/errata/RHSA-2020:3557
RHSA-2020:3559 https://access.redhat.com/errata/RHSA-2020:3559
RHSA-2020:4080 https://access.redhat.com/errata/RHSA-2020:4080
USN-4443-1 https://usn.ubuntu.com/4443-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15653.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.52018
EPSS Score 0.00284
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:26:25.668110+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2020/mfsa2020-33.yml 38.6.0