Security Severity Ratings
| Severity | Decription | Examples |
|---|---|---|
| Critical | Run attacker code with local user privilege or to install software, requiring no user interaction beyond normal browsing. The big bada boom. | Overflows resulting in native code excution JavaScript injection into browser chrome Launching of arbitrary local application with provided arguments Filetype spoofing where executables can masquerade as benign content types |
| High | Obtain confidential data from other sites the user is visiting or the local machine, or inject data or code into those sites, requiring no more than normal browsing actions. |
Cross-site Scripting (XSS) Theft of arbitrary files from local system Spoofing of full URL bar or bypass of SSL integrity checks |
| Moderate | Disclosure of sensitive information, such as name, username, entire browsing history, that represents a violation of privacy but by itself does not expose the user or organization to immediate risk. A vulnerability that combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone). Denial of Service attacks resulting in browser crash. |
Identification a user by unauthorized access to username, or by profiling browsing behavior. Disclosure of browser cache path Detection of arbitrary local files Launching of arbitrary local application without arguments Local storage of passwords in unencrypted form |
| Low | Minor security vulnerabilities such as temporary Denial of Service attacks, leaks or spoofs of non-sensitive information. |
Detection of previous visit to a specific site Script that hangs the browser for a while then triggers the "slow script" dialog Corruption of browser dialogs or user input without the ability to spoof arbitrary messages |