This issue was fixed in Firefox  102, Thunderbird  102, and Thunderbird  91.11. Users of Firefox  66 and Firefox ESR  52 on Windows who visit a malicious website or view a malicious email were vulnerable to clickjacking if the browser did not block iframes by default. The issue could be exploited by viewing a malicious email or visiting a malicious website.
Redirecting users to a different host with an iframe that runs a script on the redirecting host is a clickjacking vector. This vulnerability is similar to another clickjacking vulnerability (CVE-2016-1685) that was fixed in Firefox  66. On Windows, iframes that violate the Same Origin Policy could also be used to run scripts if the user clicked on a code>javascript:/code> link. This issue was fixed in Firefox  66.

Use-After-Free

: How to Prevent

This vulnerability was discovered by Nelson Elhage who reported the issue to Mozilla. He found it in a Firefox  62 ESR release candidate that he downloaded from a Mozilla FTP server. He found that JavaScript code> links were not being blocked by default. This allowed for clickjacking attacks via iframes that violate the Same Origin Policy. The vulnerability was fixed in Firefox  62 ESR and Firefox  66 ESR, Thunderbird  52 and Thunderbird  60, and SeaMonkey 2.49 on Windows, as well as Firefox ESR 45.7.0 on Linux.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 18:01:00 UTC

References