CVE-2023-25730UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021UI Misrepresentation / ClickjackingCWE-821Incorrect Synchronization15 documents8 sources
Severity
5.4MEDIUMNVD
OSV8.8OSV6.5
EPSS
0.1%
top 72.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedJun 2

Description

A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified110
NVDmozilla/firefox< 110.0
CVEListV5mozilla/firefox_esrunspecified102.8
NVDmozilla/firefox_esr< 102.8
Ubuntumozilla/firefox< 110.0+build3-0ubuntu0.18.04.1+3

🔴Vulnerability Details

6
GHSA
GHSA-3q42-qm7m-gp8c: A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting2023-06-02
CVEList
CVE-2023-25730: A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting2023-06-02
OSV
CVE-2023-25730: A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting2023-06-02
OSV
thunderbird vulnerabilities2023-03-13
OSV
firefox regressions2023-03-01

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2023-03-13
Ubuntu
Firefox regressions2023-03-01
Ubuntu
Firefox vulnerabilities2023-02-20
Red Hat
Mozilla: Screen hijack via browser fullscreen mode2023-02-14
Debian
CVE-2023-25730: firefox - A background script invoking <code>requestFullscreen</code> and then blocking th...2023
CVE-2023-25730 — UI Misrepresentation / Clickjacking | cvebase