CVE-2023-6867

2023-12-1914:15:07

Alpine Linux Development Team

security.alpinelinux.org

button click timing

popup disappearance

anti-clickjacking delay

permission prompts

vulnerability

firefox esr

firefox

unix

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

21.0%

JSON

The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchfirefox-esr< 115.6.0-r0UNKNOWN
Alpine3.18-communitynoarchfirefox-esr< 115.6.0-r0UNKNOWN
Alpine3.19-communitynoarchfirefox-esr< 115.6.0-r0UNKNOWN
Alpine3.20-communitynoarchfirefox-esr< 115.6.0-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	firefox-esr	< 115.6.0-r0	UNKNOWN
Alpine	3.18-community	noarch	firefox-esr	< 115.6.0-r0	UNKNOWN
Alpine	3.19-community	noarch	firefox-esr	< 115.6.0-r0	UNKNOWN
Alpine	3.20-community	noarch	firefox-esr	< 115.6.0-r0	UNKNOWN