CVE-2021-38506

MEDIUM

Firefox <94 - Info Disclosure

Title source: llm

Description

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

References (10)

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2021-49/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2021-50/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2021-48/

[Issue Tracking, Permissions Required, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1730750

[Third Party Advisory] https://www.debian.org/security/2021/dsa-5026

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5034

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

[Third Party Advisory] https://security.gentoo.org/glsa/202202-03

[Third Party Advisory] https://security.gentoo.org/glsa/202208-14

Scores

CVSS v3 4.3

EPSS 0.0087

EPSS Percentile 75.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-1021

Status published

Products (6)

debian/debian_linux 9.0

debian/debian_linux 10.0

debian/debian_linux 11.0

mozilla/firefox < 94.0

mozilla/firefox_esr < 91.3.0

mozilla/thunderbird < 91.3.0

Published Dec 08, 2021

Tracked Since Feb 18, 2026