An information disclosure vulnerability exists in Microsoft Edge that allows JavaScript XML DOM objects to detect installed browser extensions.To exploit the vulnerability, in a web-based attack scenario, an attacker could host a malicious website in an attempt to make a user visit it.However, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site.An attacker who successfully exploited the vulnerability could potentially read data not intended to be disclosed. Note that the vulnerability would not allow an attacker to either execute code or elevate a users rights directly, but the vulnerability could be used to obtain information in an attempt to further compromise the affected system.The security update addresses the vulnerability by restricting what information is returned to Microsoft Edge by affected JavaScript object methods.