CVE-2019-11754 — User Interface (UI) Misrepresentation of Critical Information in Mozilla Firefox

CWE-451 — User Interface (UI) Misrepresentation of Critical Information7 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedSep 27

Latest updateMay 24

Description

When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given. This could allow a malicious website to hijack the mouse pointer and confuse users. This vulnerability affects Firefox < 69.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/firefox< firefox 69.0.1-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 69.0.1

▶NVDmozilla/firefox< 69.0.1

▶Ubuntumozilla/firefox< 69.0.1+build1-0ubuntu0.16.04.1+1

🔴Vulnerability Details

GHSA

GHSA-q3j6-jpv5-vp5g: When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given↗2022-05-24

▶

OSV

CVE-2019-11754: When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given↗2019-09-19

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerability↗2019-09-25

▶

Red Hat

Mozilla: Pointer Lock is enabled with no user notification↗2019-09-18

▶

Debian

CVE-2019-11754: firefox - When the pointer lock is enabled by a website though requestPointerLock(), no us...↗2019

▶

💬Community

Bugzilla

CVE-2019-11754 Mozilla: Pointer Lock is enabled with no user notification↗2019-09-19

▶