Bug 1301823 - (CVE-2016-1937) CVE-2016-1937 Mozilla: Missing delay following user click events in protocol handler dialog (MFSA 2016-06)
CVE-2016-1937 Mozilla: Missing delay following user click events in protocol ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1300522
  Show dependency treegraph
Reported: 2016-01-25 23:16 EST by Huzaifa S. Sidhpurwala
Modified: 2016-01-26 23:50 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-26 23:50:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2016-01-25 23:16:03 EST
Security researcher window reported an issue where the protocol handler dialog appears, double click events are treated as two single click events. This was caused by the lack of a delay following the initial focus in the file download dialog. This could cause a second dialog to be sent the second click, leading to unintentional user initiated actions, such as the running of downloaded software from a maliciously positioned prompt. 

External Reference:



Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges window as the original reporter.


This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.