Bug 2250898 (CVE-2023-6206) - CVE-2023-6206 Mozilla: Clickjacking permission prompts using the fullscreen transition
Summary: CVE-2023-6206 Mozilla: Clickjacking permission prompts using the fullscreen t...
Keywords:
Status: NEW
Alias: CVE-2023-6206
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2249647
TreeView+ depends on / blocked
 
Reported: 2023-11-21 17:42 UTC by Mauro Matteo Cascella
Modified: 2023-11-29 13:55 UTC (History)
0 users

Fixed In Version: firefox 115.5, thunderbird 115.5
Doc Type: ---
Doc Text:
The Mozilla Foundation Security Advisory describes this flaw as: The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7499 0 None None None 2023-11-27 15:44:28 UTC
Red Hat Product Errata RHSA-2023:7500 0 None None None 2023-11-27 15:46:53 UTC
Red Hat Product Errata RHSA-2023:7501 0 None None None 2023-11-27 15:47:02 UTC
Red Hat Product Errata RHSA-2023:7502 0 None None None 2023-11-27 15:44:51 UTC
Red Hat Product Errata RHSA-2023:7503 0 None None None 2023-11-27 15:57:31 UTC
Red Hat Product Errata RHSA-2023:7504 0 None None None 2023-11-27 15:48:24 UTC
Red Hat Product Errata RHSA-2023:7505 0 None None None 2023-11-27 16:10:19 UTC
Red Hat Product Errata RHSA-2023:7506 0 None None None 2023-11-27 16:03:04 UTC
Red Hat Product Errata RHSA-2023:7507 0 None None None 2023-11-27 16:09:08 UTC
Red Hat Product Errata RHSA-2023:7508 0 None None None 2023-11-27 16:10:11 UTC
Red Hat Product Errata RHSA-2023:7509 0 None None None 2023-11-27 16:18:13 UTC
Red Hat Product Errata RHSA-2023:7510 0 None None None 2023-11-27 16:03:11 UTC
Red Hat Product Errata RHSA-2023:7511 0 None None None 2023-11-27 16:10:02 UTC
Red Hat Product Errata RHSA-2023:7512 0 None None None 2023-11-27 16:25:01 UTC
Red Hat Product Errata RHSA-2023:7547 0 None None None 2023-11-28 15:12:07 UTC
Red Hat Product Errata RHSA-2023:7569 0 None None None 2023-11-29 12:49:24 UTC
Red Hat Product Errata RHSA-2023:7570 0 None None None 2023-11-29 12:49:31 UTC
Red Hat Product Errata RHSA-2023:7573 0 None None None 2023-11-29 13:42:58 UTC
Red Hat Product Errata RHSA-2023:7574 0 None None None 2023-11-29 13:43:06 UTC
Red Hat Product Errata RHSA-2023:7577 0 None None None 2023-11-29 13:55:06 UTC

Description Mauro Matteo Cascella 2023-11-21 17:42:16 UTC 
The black fade animation when exiting fullscreen is roughly
the length of the anti-clickjacking delay on permission prompts.
It was possible to use this fact to surprise users by luring them
to click where the permission grant button would be about to appear.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206
Comment 27 errata-xmlrpc 2023-11-27 15:44:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7499 https://access.redhat.com/errata/RHSA-2023:7499
Comment 28 errata-xmlrpc 2023-11-27 15:44:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:7502 https://access.redhat.com/errata/RHSA-2023:7502
Comment 29 errata-xmlrpc 2023-11-27 15:46:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7500 https://access.redhat.com/errata/RHSA-2023:7500
Comment 30 errata-xmlrpc 2023-11-27 15:47:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7501 https://access.redhat.com/errata/RHSA-2023:7501
Comment 31 errata-xmlrpc 2023-11-27 15:48:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7504 https://access.redhat.com/errata/RHSA-2023:7504
Comment 32 errata-xmlrpc 2023-11-27 15:57:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7503 https://access.redhat.com/errata/RHSA-2023:7503
Comment 33 errata-xmlrpc 2023-11-27 16:03:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7506 https://access.redhat.com/errata/RHSA-2023:7506
Comment 34 errata-xmlrpc 2023-11-27 16:03:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7510 https://access.redhat.com/errata/RHSA-2023:7510
Comment 35 errata-xmlrpc 2023-11-27 16:09:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7507 https://access.redhat.com/errata/RHSA-2023:7507
Comment 36 errata-xmlrpc 2023-11-27 16:10:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7511 https://access.redhat.com/errata/RHSA-2023:7511
Comment 37 errata-xmlrpc 2023-11-27 16:10:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7508 https://access.redhat.com/errata/RHSA-2023:7508
Comment 38 errata-xmlrpc 2023-11-27 16:10:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7505 https://access.redhat.com/errata/RHSA-2023:7505
Comment 39 errata-xmlrpc 2023-11-27 16:18:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7509 https://access.redhat.com/errata/RHSA-2023:7509
Comment 40 errata-xmlrpc 2023-11-27 16:24:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7512 https://access.redhat.com/errata/RHSA-2023:7512
Comment 41 errata-xmlrpc 2023-11-28 15:12:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:7547 https://access.redhat.com/errata/RHSA-2023:7547
Comment 42 errata-xmlrpc 2023-11-29 12:49:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7569 https://access.redhat.com/errata/RHSA-2023:7569
Comment 43 errata-xmlrpc 2023-11-29 12:49:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7570 https://access.redhat.com/errata/RHSA-2023:7570
Comment 44 errata-xmlrpc 2023-11-29 13:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7573 https://access.redhat.com/errata/RHSA-2023:7573
Comment 45 errata-xmlrpc 2023-11-29 13:43:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7574 https://access.redhat.com/errata/RHSA-2023:7574
Comment 46 errata-xmlrpc 2023-11-29 13:55:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7577 https://access.redhat.com/errata/RHSA-2023:7577
Note You need to log in before you can comment on or make changes to this bug.