CVE-2023-6867

2023-12-1914:15:07

CWE-1021

[email protected]

web.nvd.nist.gov

firefox

esr

permission grant

button

vulnerability

timing

clickjacking

surprise

users

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.0%

JSON

The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121.

Affected configurations

Nvd

Node

mozillafirefoxRange<121.0

mozillafirefox_esrRange<115.6

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

debiandebian_linuxMatch12.0

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
debiandebian_linux12.0cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	firefox_esr	*	cpe:2.3:a:mozilla:firefox_esr::::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*
debian	debian_linux	12.0	cpe:2.3:o:debian:debian_linux:12.0:::::::*