CVE-2022-22743 An attacker-controlled tab could make the browser unable to leave fullscreen mode.

Firefox users that are relying on Google Chrome or Microsoft Edge to view sites that have been changed to require full-screen mode are advised to limit full-screen usage to trusted sites. An attacker could exploit this vulnerability by crafting a site that triggers fullscreen mode. For example, an attacker could host a malicious video or image file on a website, or host a JavaScript applet on a website. When a user loaded the website in Firefox, the website would trigger fullscreen mode and the attacker-controlled content would be displayed. Users that frequently left full-screen mode on the same website or visited that website frequently could be at risk. If users frequently left full-screen mode on a website, users should consider not visiting that website in full-screen mode through Firefox.

Vulnerability Overview:

This vulnerability, CVE-2022-22743, is a flaw in Firefox that could allow malicious websites to display their own content fullscreen and take over the user's browser. The vulnerability primarily affects users who frequent websites that have not been updated to prevent this attack. This bug has been addressed in Firefox ESR 24.x and 26.x releases.

Vulnerability details

An attacker could exploit this vulnerability by crafting a site that triggers full-screen mode. For example, an attacker could host a malicious video or image file on a website, or host a JavaScript applet on a website. When a user loaded the website in Firefox, the website would trigger fullscreen mode and the attacker-controlled content would be displayed. Users that frequently left full-screen mode on the same website or visited that website frequently could be at risk. If users frequently left full-screen mode on a website, users should consider not visiting that website in full-screen mode through Firefox until this vulnerability is fixed.

How to mitigate risk from the Firefox Fullscreen vulnerability

The full-screen vulnerability has been patched by Mozilla. Firefox users that are relying on Google Chrome or Microsoft Edge to view sites that have been changed to require full-screen mode should limit their use to trusted sites.  Users should be cautious of visiting a website in full-screen mode because it could lead to exploitation of the vulnerability.

How Does Full-Screen Mode Work?

Full-screen mode is triggered when the user presses F11 on their keyboard. This can happen when a website's content is too complex to fit into the browser window or when the user is using a plug-in that triggers full-screen mode. Full-screen mode usually covers the entire browser window and hides all other content while allowing the user to interact with elements on the screen.

Impact of the vulnerability

If users frequently left full-screen mode on a website, users should consider not visiting that website in full-screen mode through Firefox.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 20:12:00 UTC

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1739220
• https://www.mozilla.org/security/advisories/mfsa2022-02/
• https://www.mozilla.org/security/advisories/mfsa2022-01/
• https://www.mozilla.org/security/advisories/mfsa2022-03/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22743