HTTP: Microsoft Edge document.domain Same Origin Policy Bypass
A policy bypass vulnerability has been reported in Microsoft Edge. This vulnerability is due improper enforcement of cross-domain policies with pages that have an empty document.domain property. A remote attacker could exploit this vulnerability by enticing a user to visit a maliciously crafted web-page. Successful exploitation of this vulnerability would allow an attacker to bypass the same origin policy and disclose sensitive information.
Extended Description
Microsoft Edge allows remote attackers to bypass the Same Origin Policy via vectors involving the about:blank URL and data: URLs, aka "Microsoft Edge Elevation of Privilege Vulnerability."
Affected Products
Microsoft edge
Short Name
HTTP:MS-EDGE-SOP-BYPASS
Severity
Minor
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
Bypass CVE-2017-0002 Edge Microsoft Origin Policy Same bid:95284 document.domain
Release Date
02/08/2017
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3415
False Positive
Unknown
Vendors
Microsoft
CVSS Score
6.8