Уязвимость спуфинга и скрытия уведомлений в полноэкранном режиме в Mozilla Firefox, приводящая к краже данных
Описание
После того как веб-сайт переходит в полноэкранный режим, он способен использовать ранее открытое всплывающее окно для скрытия уведомления, которое сообщает, что браузер находится в полноэкранном режиме. В сочетании со спуфингом интерфейса браузера, это приводит к путанице у пользователя относительно текущего происхождения страницы и кражи учетных данных или другим атакам.
Затронутые версии ПО
- Firefox версия до 74
Тип уязвимости
Спуфинг, кража учетных данных
Ссылки
- Issue TrackingVendor Advisory
- Vendor Advisory
- Issue TrackingVendor Advisory
- Vendor Advisory
Уязвимые конфигурации
EPSS
4.3 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
Связанные уязвимости
After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74.
After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74.
After a website had entered fullscreen mode, it could have used a prev ...
After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74.
EPSS
4.3 Medium
CVSS3
4.3 Medium
CVSS2