CVE-2023-6867 — UI Misrepresentation / Clickjacking in Mozilla Firefox
Severity
6.1MEDIUMNVD
OSV4.3
EPSS
0.9%
top 23.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 19
Latest updateJan 11
Description
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages5 packages
Also affects: Debian Linux 10.0, 11.0, 12.0
🔴Vulnerability Details
5OSV▶
CVE-2023-6867: The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts↗2023-12-19
CVEList▶
CVE-2023-6867: The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts↗2023-12-19
GHSA▶
GHSA-2mpv-2j92-5mm4: The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts↗2023-12-19
📋Vendor Advisories
5Debian▶
CVE-2023-6867: firefox - The timing of a button click causing a popup to disappear was approximately the ...↗2023