cbcvebase.
CVE-2021-43538
published 2021-12-08

CVE-2021-43538: By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock…

PriorityP419medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
1.16%
63.2th percentile
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

Affected

23 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianfirefox< firefox 95.0-1 (sid)firefox 95.0-1 (sid)
debianfirefox-esr< firefox 95.0-1 (sid)firefox 95.0-1 (sid)
debianthunderbird< firefox 95.0-1 (sid)firefox 95.0-1 (sid)
mozillafirefox< 95.095.0
mozillafirefox
mozillafirefox>= 0 < 95.0.1+build2-0ubuntu0.18.04.195.0.1+build2-0ubuntu0.18.04.1
mozillafirefox>= 0 < 95.0+build1-0ubuntu0.18.04.195.0+build1-0ubuntu0.18.04.1
mozillafirefox>= 0 < 95.0.1+build2-0ubuntu0.20.04.195.0.1+build2-0ubuntu0.20.04.1
mozillafirefox>= 0 < 95.0+build1-0ubuntu0.20.04.195.0+build1-0ubuntu0.20.04.1
mozillafirefox>= unspecified < 9595
mozillafirefox_esr< 91.4.091.4.0
mozillafirefox_esr>= unspecified < 91.4.091.4.0
mozillathunderbird< 91.4.091.4.0
mozillathunderbird>= 0 < 1:91.4.1-1~deb11u11:91.4.1-1~deb11u1
mozillathunderbird>= 0 < 1:91.4.0-11:91.4.0-1
mozillathunderbird>= 0 < 1:91.4.0-11:91.4.0-1
mozillathunderbird>= 0 < 1:91.4.0-11:91.4.0-1
mozillathunderbird>= 0 < 1:91.5.0+build1-0ubuntu0.18.04.11:91.5.0+build1-0ubuntu0.18.04.1
mozillathunderbird>= 0 < 1:91.5.0+build1-0ubuntu0.20.04.11:91.5.0+build1-0ubuntu0.20.04.1
mozillathunderbird>= unspecified < 91.4.091.4.0

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.