In general, this flaw be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
CVSS v3 metrics
|CVSS3 Base Score||8.8|
|CVSS3 Base Metrics||CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H|
AcknowledgementsRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Samuel Groß (Google Project Zero) as the original reporter.
CVE description copyright © 2017, The MITRE Corporation