CVE-2021-43538Race Condition in Mozilla Firefox

CWE-362Race ConditionCWE-1021UI Misrepresentation / Clickjacking16 documents8 sources
Severity
4.3MEDIUMNVD
OSV8.8OSV6.5
EPSS
0.3%
top 48.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+1 more
Timeline
PublishedDec 8
Latest updateJan 21

Description

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified95
NVDmozilla/firefox< 95.0
CVEListV5mozilla/firefox_esrunspecified91.4.0
NVDmozilla/firefox_esr< 91.4.0
Ubuntumozilla/firefox< 95.0.1+build2-0ubuntu0.18.04.1+3

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

6
OSV
thunderbird vulnerabilities2022-01-21
OSV
firefox regressions2021-12-20
GHSA
GHSA-9mvw-9c9q-7cmm: By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and poi2021-12-09
OSV
firefox vulnerabilities2021-12-09
OSV
CVE-2021-43538: By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and poi2021-12-08

📋Vendor Advisories

9
Ubuntu
Thunderbird vulnerabilities2022-01-21
Ubuntu
Thunderbird vulnerabilities2022-01-21
Ubuntu
Firefox regressions2021-12-20
Ubuntu
Firefox vulnerabilities2021-12-09
Red Hat
Mozilla: Missing fullscreen and pointer lock notification when requesting both2021-12-07
CVE-2021-43538 — Race Condition in Mozilla Firefox | cvebase