Description
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
References (10)
Core 10
Core References
Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-53/
Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-54/
Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-52/
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1739091
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-5026
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5034
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202202-03
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-14
Scores
CVSS v3
4.3
EPSS
0.0027
EPSS Percentile
51.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Details
CWE
CWE-362
Status
published
Products (6)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
mozilla/firefox
< 95.0
mozilla/firefox_esr
< 91.4.0
mozilla/thunderbird
< 91.4.0
Published
Dec 08, 2021
Tracked Since
Feb 18, 2026