CVE-2021-43538
Mozilla: Missing fullscreen and pointer lock notification when requesting both
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
Mediante el uso indebido de una carrera en nuestro código de notificación, un atacante podría haber ocultado a la fuerza la notificación de las páginas que habían recibido acceso a pantalla completa y bloqueo de puntero, lo que podría haber sido usado para ataques de suplantación de identidad. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.4.0, Firefox ESR versiones anteriores a 91.4.0 y Firefox versiones anteriores a 95
The Mozilla Foundation Security Advisory describes this flaw as:
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-08 CVE Reserved
- 2021-12-08 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202202-03 | 2022-12-09 | |
| https://security.gentoo.org/glsa/202208-14 | 2022-12-09 | |
| https://www.debian.org/security/2021/dsa-5026 | 2022-12-09 | |
| https://www.debian.org/security/2022/dsa-5034 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-52 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-53 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-54 | 2022-12-09 | |
| https://access.redhat.com/security/cve/CVE-2021-43538 | 2021-12-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2030109 | 2021-12-09 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 95.0 Search vendor "Mozilla" for product "Firefox" and version " < 95.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 91.4.0 Search vendor "Mozilla" for product "Firefox Esr" and version " < 91.4.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | < 91.4.0 Search vendor "Mozilla" for product "Thunderbird" and version " < 91.4.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||