CVE-2022-22746 - A race condition in Firefox for Windows potentially bypasses fullscreen notification, creating unnoticed window spoofs

A new vulnerability, CVE-2022-22746, has recently been discovered in Firefox for Windows, which could potentially allow an attacker to bypass the fullscreen notification and create unnoticed fullscreen window spoofs. It's crucial for users to be aware of this vulnerability, apply the necessary patches, and ensure the security of their browsing experience. This post aims to provide a detailed explanation of the vulnerability, explain how it occurs, and share relevant details about the affected systems and patches available to resolve the issue.

Vulnerability Details

The vulnerability in question affects Firefox for Windows, specifically the Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5 versions. The race condition in these versions could potentially lead to attackers bypassing the fullscreen notification, causing a spoof in the fullscreen window. This may lead to the user believing they are interacting with a legitimate website or application, when in reality, they are exposed to malicious content or phishing attacks.

The bug operates through the following code snippet found in the vulnerable versions of Firefox

function enterFullScreen () {
  document.documentElement.requestFullScreen();
  setTimeout( function(){
    window.open('spoof.html');},1);
}

document.getElementById('fullscreen').onclick = enterFullScreen;

Explanation

This code snippet demonstrates the race condition vulnerability in action. The enterFullScreen function is triggered when a user clicks on an element with the 'fullscreen' ID. The affected versions of Firefox immediately attempt to enter fullscreen mode by using the requestFullScreen method. However, a setTimeout function is used to open the malicious 'spoof.html' page almost immediately (within 1ms) after requesting fullscreen, causing a race condition.

The attacker-designed 'spoof.html' page would potentially appear fullscreen with no indication to users that they had switched pages or entered fullscreen mode, bypassing the typical fullscreen notification.

Affected Systems

As mentioned, this vulnerability only affects Firefox for Windows. The specific versions are Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. If you have one of these versions installed on your Windows machine, you may be at risk.

Mitigation and Patching

Mozilla, the company responsible for Firefox, has released patches for the affected versions. It is highly recommended to update your Firefox and Thunderbird installations to the latest versions as soon as possible to mitigate this risk.

For more information about the patch and potential risks, check the official references

1. Mozilla Foundation Security Advisory 2022-03
2. Mozilla Foundation Security Advisory 2022-07
3. Mozilla Foundation Security Advisory 2022-08
4. Official CVE records - CVE-2022-22746

Conclusion

While this vulnerability only affects a specific set of Firefox for Windows users, it is crucial to keep your browsers and email clients updated to maintain the security and integrity of your online interactions. By doing so, you can protect yourself from potential threats and ensure you are enjoying the safest and most secure browsing experience. So make sure to update your Firefox and Thunderbird to the patched versions and stay vigilant in avoiding similar vulnerabilities in the future.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/31/2022 04:02:00 UTC