CVE-2021-38506UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021UI Misrepresentation / Clickjacking14 documents8 sources
Severity
4.3MEDIUMNVD
OSV10.0OSV8.8
EPSS
0.9%
top 24.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+1 more
Timeline
PublishedDec 8
Latest updateJan 21

Description

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified94
NVDmozilla/firefox< 94.0
CVEListV5mozilla/firefox_esrunspecified91.3
NVDmozilla/firefox_esr< 91.3.0
Ubuntumozilla/firefox< 94.0+build3-0ubuntu0.18.04.1+1

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

5
OSV
thunderbird vulnerabilities2022-01-21
GHSA
GHSA-9wxw-f5fm-cf3j: Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user2021-12-09
OSV
CVE-2021-38506: Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user2021-12-08
CVEList
CVE-2021-38506: Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user2021-12-08
OSV
firefox vulnerabilities2021-11-03

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2022-01-21
Ubuntu
Thunderbird vulnerabilities2021-11-18
Ubuntu
Firefox vulnerabilities2021-11-03
Red Hat
Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning2021-11-02
Debian
CVE-2021-38506: firefox - Through a series of navigations, Firefox could have entered fullscreen mode with...2021
CVE-2021-38506 — UI Misrepresentation / Clickjacking | cvebase