VIR Vulnerability Intelligence Relay

CVE-2018-12397

critical
Published — · Modified —
CVSS v3
CVSS v2
VIR risk
9.5

Description

A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2018-12397

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2018-12397.html

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201810-14

OS impact
OSVersionStatusFixed in
arch archfixed63.0-1
suse slesaffected
debian debiansidfixed63.0-1
debian debianbookwormfixed60.3.0esr-1
debian debianbullseyefixed60.3.0esr-1
debian debianforkyfixed60.3.0esr-1
debian debiantrixiefixed60.3.0esr-1

References

Verify integrity in audit chain (admin only). AS-IS.