CVE CyberSecurity Database News

CVE-2022-22761 - How a Firefox & Thunderbird Bug Left Web Extensions Open to Clickjacking Attacks

Poster -

In early 2022, security researchers discovered a significant vulnerability in Mozilla Firefox, Thunderbird, and the Firefox ESR (Extended Support Release). Known as CVE-2022-22761, this flaw specifically involved web-accessible extension pages and their mishandling of a critical security control: the frame-ancestors directive from the Content Security Policy (CSP).

In this post, we’ll break down what went wrong, how attackers could exploit this, why it mattered, and show you actual code snippets to illustrate the bug. We’ll also point to the official resources for deeper learning.

What is CVE-2022-22761?

A bug where Firefox and Thunderbird didn't properly enforce CSP's frame-ancestors directive on extension pages with the moz-extension:// scheme.

Why does it matter?

Attackers could embed these extension pages via iframes, enabling risky phishing or clickjacking attacks.

The Vulnerability in Simple Terms

Web extensions often have internal pages (e.g., settings or UI) loaded under URLs like moz-extension://<extension-id>/page.html. These sometimes handle sensitive data, and it's critical they can't be loaded into other websites’ frames.

Normally, developers use CSP to prevent this, setting something like

Content-Security-Policy: frame-ancestors 'self'

This says: “only I can frame myself—nobody else.” If a malicious website tries to include your extension page in an iframe, the browser should block it.

But CVE-2022-22761 found that Firefox and Thunderbird ignored this rule for these internal pages.  

Result: Any website could embed your extension’s pages. Imagine someone making a full-screen fake login dialog using your extension’s page!

What Was the Bug?

The browser failed to enforce the CSP frame-ancestors directive on moz-extension:// schemes. Other browsers (like Chrome) generally do enforce this, keeping extension pages safer.

Malicious site loads an extension page in a hidden iframe

<iframe src="moz-extension://<extension-id>/options.html" style="opacity:"></iframe>

If the extension page has sensitive controls or profile info, the attacker can now overlay buttons and trick users into clickjacking—making them click invisible buttons, maybe even giving away credentials!

Here’s a minimal HTML page an attacker might use

<!-- attacker.html -->
<!DOCTYPE html>
<html>
<body>
  <h1>Free iPhone! Click below!</h1>
  <iframe src="moz-extension://<extension-id>/settings.html"
          style="width:800px; height:600px; opacity:; position:absolute; top:50px; left:50px; pointer-events:auto;">
  </iframe>
  <button style="position:absolute; top:300px; left:300px;">Click me!</button>
</body>
</html>

With this, any click on the big “Click me!” button could sneakily click a hidden button in your extension page below.

Video Demo

*Want to see how this looks in action?*

Mozilla’s Bugzilla page has more technical discussion

- Mozilla Bugzilla: CVE-2022-22761

Patched: Firefox 97, Thunderbird 91.6, Firefox ESR 91.6

Once updated, these browsers strictly enforced the CSP frame-ancestors directive, closing the exploit.

Choose a Target Extension: Find any extension with a web-accessible page.

2. Host a Malicious Website: Use an <iframe> to load the page using the moz-extension:// URL.

Capture Actions: When users interact, unknowingly operate the real extension behind the scenes.

*Note:* This attack relied on extensions that had web-accessible pages and no anti-framing protections.

The Takeaway for Users and Developers

- Update Your Browser: Always run the latest Firefox or Thunderbird to avoid this and similar bugs.
- Extension Devs: Double-check your CSPs and avoid sensitive logic/UI in web-accessible pages if possible.

Additional Reading

- CVE-2022-22761 on NVD
- Firefox Security Advisory 2022-05
- Official Bugzilla Report
- Mozilla Developer docs: Content Security Policy and Extension Security

Conclusion

CVE-2022-22761 was a classic case of a small oversight in browser policy enforcement making a big risk. By not honoring frame-ancestors for their own extension scheme, Firefox and Thunderbird gave attackers a new route into otherwise well-protected extension pages.

It’s fixed now—so patch up, and stay secure!

*If you found this useful, let us know in the comments, or share your own experiences dealing with extension security!*

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 14:02:00 UTC