CVE-2022-46877Cross-site Scripting in Mozilla Firefox

CWE-79Cross-site ScriptingCWE-357Insufficient UI Warning of Dangerous Operations14 documents7 sources
Severity
4.3MEDIUMNVD
OSV8.8OSV6.5
EPSS
0.5%
top 34.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Mozilla FirefoxMozilla ThunderbirdDebian Firefox+3 more
Timeline
PublishedDec 22
Latest updateFeb 6

Description

By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages9 packages

debiandebian/firefox< firefox 108.0-1 (sid)
CVEListV5mozilla/firefoxunspecified108
NVDmozilla/firefox< 108.0
debiandebian/firefox-esr< firefox 108.0-1 (sid)
Ubuntumozilla/firefox< 108.0.1+build1-0ubuntu0.18.04.1+3

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

5
OSV
thunderbird vulnerabilities2023-02-06
OSV
firefox regressions2023-01-05
OSV
CVE-2022-46877: By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks2022-12-22
GHSA
GHSA-qhr9-wjgv-2r72: By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks2022-12-22
OSV
firefox vulnerabilities2022-12-15

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2023-02-06
Red Hat
Mozilla: Fullscreen notification bypass2023-01-17
Ubuntu
Firefox regressions2023-01-10
Ubuntu
Firefox vulnerabilities2022-12-15
Debian
CVE-2022-46877: firefox - By confusing the browser, the fullscreen notification could have been delayed or...2022
CVE-2022-46877 — Cross-site Scripting in Mozilla | cvebase