Bug 2178470 (CVE-2023-28164)

Summary: CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erack, jhorak, nobody, stransky, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firefox 102.9, thunderbird 102.9 Doc Type: ---
Doc Text:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory described the issue of dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-27 19:18:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2176588, 2176589, 2176590, 2176592, 2176593, 2176594, 2176595, 2176596, 2176597, 2176598, 2176599, 2176600, 2176601, 2176604, 2176605, 2176606, 2176607, 2176608, 2176609, 2176610, 2176611, 2176612, 2176613, 2176614, 2176615, 2176616    
Bug Blocks: 2176586    

Description msiddiqu 2023-03-15 04:31:07 UTC 
Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28164
Comment 9 errata-xmlrpc 2023-03-20 09:29:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1333 https://access.redhat.com/errata/RHSA-2023:1333
Comment 10 errata-xmlrpc 2023-03-20 09:34:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1337 https://access.redhat.com/errata/RHSA-2023:1337
Comment 11 errata-xmlrpc 2023-03-20 09:36:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1336 https://access.redhat.com/errata/RHSA-2023:1336
Comment 12 errata-xmlrpc 2023-03-21 08:16:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1364 https://access.redhat.com/errata/RHSA-2023:1364
Comment 13 errata-xmlrpc 2023-03-21 09:43:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1367 https://access.redhat.com/errata/RHSA-2023:1367
Comment 14 errata-xmlrpc 2023-03-22 10:05:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1401 https://access.redhat.com/errata/RHSA-2023:1401
Comment 15 errata-xmlrpc 2023-03-22 10:23:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1402 https://access.redhat.com/errata/RHSA-2023:1402
Comment 16 errata-xmlrpc 2023-03-22 10:33:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1403 https://access.redhat.com/errata/RHSA-2023:1403
Comment 17 errata-xmlrpc 2023-03-22 10:34:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1407 https://access.redhat.com/errata/RHSA-2023:1407
Comment 18 errata-xmlrpc 2023-03-22 10:34:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1404 https://access.redhat.com/errata/RHSA-2023:1404
Comment 19 errata-xmlrpc 2023-03-23 11:07:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1442 https://access.redhat.com/errata/RHSA-2023:1442
Comment 20 errata-xmlrpc 2023-03-23 11:16:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1443 https://access.redhat.com/errata/RHSA-2023:1443
Comment 21 errata-xmlrpc 2023-03-23 11:16:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1445 https://access.redhat.com/errata/RHSA-2023:1445
Comment 22 errata-xmlrpc 2023-03-23 11:27:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1444 https://access.redhat.com/errata/RHSA-2023:1444
Comment 23 errata-xmlrpc 2023-03-27 08:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1472 https://access.redhat.com/errata/RHSA-2023:1472
Comment 24 errata-xmlrpc 2023-03-27 15:11:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1479 https://access.redhat.com/errata/RHSA-2023:1479
Comment 25 Product Security DevOps Team 2023-03-27 19:18:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-28164