CVE-2021-23984
MEDIUMFirefox < 87.0 and Firefox ESR < 78.9 - Authentication Bypass by Spoofing via Popup Window
Title source: llmDescription
A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-10/
Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-12/
Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-11/
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1693664
Scores
CVSS v3
6.5
EPSS
0.0021
EPSS Percentile
43.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-290
Status
published
Products (3)
mozilla/firefox
< 87.0
mozilla/firefox_esr
< 78.9
mozilla/thunderbird
< 78.9
Published
Mar 31, 2021
Tracked Since
Feb 18, 2026