Bug 1942786 (CVE-2021-23984) - CVE-2021-23984 Mozilla: Malicious extensions could have spoofed popup information
Summary: CVE-2021-23984 Mozilla: Malicious extensions could have spoofed popup informa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23984
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939796 1939797 1939798 1939799 1939800 1939801 1939805 1939806 1939807 1939808 1939809 1939810
Blocks: 1939794
TreeView+ depends on / blocked
 
Reported: 2021-03-25 00:47 UTC by Doran Moppert
Modified: 2021-03-30 11:47 UTC (History)
5 users (show)

Fixed In Version: firefox 78.9, thunderbird 78.9
Doc Type: If docs needed, set a value
Doc Text:
The Mozilla Foundation Security Advisory describes this issue as: A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials.
Clone Of:
Environment:
Last Closed: 2021-03-25 17:35:20 UTC


Attachments (Terms of Use)

Description Doran Moppert 2021-03-25 00:47:48 UTC
A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23984

Comment 1 Doran Moppert 2021-03-25 00:47:52 UTC
Acknowledgments:

Name: the Mozilla project
Upstream: Rob Wu

Comment 2 errata-xmlrpc 2021-03-25 12:19:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0990 https://access.redhat.com/errata/RHSA-2021:0990

Comment 3 errata-xmlrpc 2021-03-25 12:30:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0991 https://access.redhat.com/errata/RHSA-2021:0991

Comment 4 errata-xmlrpc 2021-03-25 12:55:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0995 https://access.redhat.com/errata/RHSA-2021:0995

Comment 5 errata-xmlrpc 2021-03-25 12:56:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0993 https://access.redhat.com/errata/RHSA-2021:0993

Comment 6 errata-xmlrpc 2021-03-25 12:57:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0989 https://access.redhat.com/errata/RHSA-2021:0989

Comment 7 errata-xmlrpc 2021-03-25 12:57:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0994 https://access.redhat.com/errata/RHSA-2021:0994

Comment 8 errata-xmlrpc 2021-03-25 13:33:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0996 https://access.redhat.com/errata/RHSA-2021:0996

Comment 9 errata-xmlrpc 2021-03-25 13:33:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0992 https://access.redhat.com/errata/RHSA-2021:0992

Comment 10 Product Security DevOps Team 2021-03-25 17:35:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23984


Note You need to log in before you can comment on or make changes to this bug.