A vulnerability, which was classified as critical, has been found in Mozilla Firefox up to 122 (Web Browser). Affected by this issue is the function requestPointerLock of the component Fullscreen Mode. The manipulation with an unknown input leads to a ui layer vulnerability. Using CWE to declare the problem leads to CWE-1021. The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Impacted is integrity. CVE summarizes:

A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123 and Firefox ESR < 115.8.

The weakness was presented 02/20/2024. The advisory is available at mozilla.org. This vulnerability is handled as CVE-2024-1550 since 02/15/2024. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 02/20/2024).

Upgrading to version 123 eliminates this vulnerability. The upgrade is hosted for download at mozilla.org.

See VDB-254192, VDB-254194, VDB-254195 and VDB-254196 for similar entries.

Productinfo

Type

• Web Browser

Vendor

• Mozilla

Name

• Firefox

Version

• 122

License

• open-source

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion