CVE-2023-6206
Mozilla: Clickjacking permission prompts using the fullscreen transition
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.
La animación de desvanecimiento negro al salir de la pantalla completa es aproximadamente la duración del retraso anti-clickjacking en las solicitudes de permiso. Era posible utilizar este hecho para sorprender a los usuarios atrayéndolos a hacer clic en el lugar donde el botón de concesión de permiso estaría a punto de aparecer. Esta vulnerabilidad afecta a Firefox < 120, Firefox < 115.5 y Thunderbird < 115.5.0.
The Mozilla Foundation Security Advisory describes this flaw as:
The black fade animation when exiting fullscreen is roughly
the length of the anti-clickjacking delay on permission prompts.
It was possible to use this fact to surprise users by luring them
to click where the permission grant button would be about to appear.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-20 CVE Reserved
- 2023-11-21 CVE Published
- 2024-08-02 CVE Updated
- 2024-10-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2023/11/msg00017.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2023/11/msg00030.html | ||
https://www.debian.org/security/2023/dsa-5561 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.mozilla.org/security/advisories/mfsa2023-49 | 2023-11-30 | |
https://www.mozilla.org/security/advisories/mfsa2023-50 | 2023-11-30 | |
https://www.mozilla.org/security/advisories/mfsa2023-52 | 2023-11-30 | |
https://access.redhat.com/security/cve/CVE-2023-6206 | 2023-11-29 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2250898 | 2023-11-29 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 120.0 Search vendor "Mozilla" for product "Firefox" and version " < 120.0" | - |
Affected
| ||||||
Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 115.5.0 Search vendor "Mozilla" for product "Firefox Esr" and version " < 115.5.0" | - |
Affected
| ||||||
Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | < 115.5 Search vendor "Mozilla" for product "Thunderbird" and version " < 115.5" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0" | - |
Affected
|