Publish date
July 2016
Identifier
CVE-2017-5384
Manufacturer
Mozilla
Product
Firefox
Patched
https://bugzilla.mozilla.org/show_bug.cgi?id=1255474
Authors
Paul Stone, Alex Chapman
Description
Malicious Proxy Auto-Config (PAC) files allow for the disclosure of SSL/TLS encrypted HTTPS request URLs (including full paths and query strings) from Firefox. The PAC file specifies a Javascript function, FindProxyForURL(url, host), which is called for each URL request in order to determine the required proxy for the connection. This function receives the full URL and hostname for both HTTP and HTTPS requests, which can be leaked by a malicious PAC script. This could expose credentials, tokens, search terms or any other data passed in HTTPS URL query strings to internet based attackers that would otherwise be encrypted. This issue does not affect the default configuration of Firefox.