CVE-2022-29914 Reusing existing popups could have allowed for browser spoofing attacks.

Thunderbird and Firefox are not vulnerable if they are using the --force-fullscreen command line argument. All versions of the browser are vulnerable to clickjacking if they are using background tabs. All versions of the browser are also vulnerable to full screen bypass attacks if they are using a fixed positioning mode. Depending on the version of the browser, it may also be vulnerable to cross-site iframes if it is using a fallback mode.

Clickjacking

Clickjacking is a form of click fraud in which an attacker tricks a user into clicking on a malicious web page. The user's clicks are covertly redirected to another website without their knowledge or consent.
Often, the attacker uses a nearly identical URL as the legitimate one, so that the user will click it without being suspicious.

Summary of the vulnerabilities

Vulnerabilities in Thunderbird and Firefox are only present if they are using the --force-fullscreen command line argument. They are not vulnerable to background tab hijacking or full screen bypass attacks if they use a fixed positioning mode, but they may be vulnerable to cross-site iframes and fallback modes.

Install the Latest Version of Thunderbird or Firefox

It is important to make sure that you are using the latest version of Thunderbird or Firefox. To do this, you can use the following two methods:
If you have a current version of Thunderbird or Firefox, it is recommended to uninstall it and install the latest version.
Alternatively, if you cannot uninstall your current version of the program, it is recommended to disable extensions in your current browser that use JavaScript. These include Adobe Acrobat Reader DC, Chrome Frame, Mozilla Firefox (for Windows), and Microsoft Silverlight. This will prevent your browser from being exploited by clickjacking attacks.

Clickjacking vulnerability

Clickjacking is a type of attack that exploits the fact that many web browsers are still vulnerable to this dangerous tactic. Clickjacking occurs when an attacker tricks a user into clicking on something they think they'll see in a new tab, but instead the click sends them to a new browser window that's invisible to the user.
This attack can be further done by using JavaScript and tricking users into thinking they're entering information in one window but actually doing it in another. This can lead to more serious security breaches like social engineering attacks and phishing scams.
The good news is that you can protect yourself from these kinds of attacks by changing your browser settings, as well as configuring your browsing habits so you don't fall for malicious content or scams. You should also make sure you don't use any plugins or extensions that might be causing your browser to behave oddly and potentially expose you to these types of vulnerabilities.
Resetting your browser settings should fix most security problems, including those related to clickjacking, full screen bypass, cross-site iframes, and other threats.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:15:00 UTC

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1746448
• https://www.mozilla.org/security/advisories/mfsa2022-17/
• https://www.mozilla.org/security/advisories/mfsa2022-16/
• https://www.mozilla.org/security/advisories/mfsa2022-18/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29914