CVE-2023-5721 — UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021 — UI Misrepresentation / Clickjacking CWE-356 — Product UI does not Warn User of Unsafe Actions14 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 45.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +1 more

Timeline

PublishedOct 25

Latest updateNov 14

Description

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages7 packages

▶CVEListV5mozilla/firefoxunspecified — 119

▶NVDmozilla/firefox< 119.0

▶CVEListV5mozilla/firefox_esrunspecified — 115.4

▶NVDmozilla/firefox_esr< 115.4

▶CVEListV5mozilla/thunderbirdunspecified — 115.4.1

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

OSV

firefox regressions↗2023-11-14

▶

OSV

thunderbird vulnerabilities↗2023-11-02

▶

OSV

firefox vulnerabilities↗2023-10-30

▶

OSV

CVE-2023-5721: It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-del↗2023-10-25

▶

GHSA

GHSA-cw53-7m4g-22j6: It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-del↗2023-10-25

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2023-11-02

▶

Ubuntu

Firefox vulnerabilities↗2023-10-30

▶

Red Hat

Mozilla: Queued up rendering could have allowed websites to clickjack↗2023-10-24

▶

Debian

CVE-2023-5721: firefox - It was possible for certain browser prompts and dialogs to be activated or dismi...↗2023

▶

Mozilla

Mozilla Foundation Security Advisory 2023-46: CVE-2023-5721↗

▶