This issue was fixed in Firefox 102, Thunderbird 102, and Thunderbird 91.11. Users of Firefox 66 and Firefox ESR 52 on Windows who visit a malicious website or view a malicious email were vulnerable to clickjacking if the browser did not block iframes by default. The issue could be exploited by viewing a malicious email or visiting a malicious website.
Redirecting users to a different host with an iframe that runs a script on the redirecting host is a clickjacking vector. This vulnerability is similar to another clickjacking vulnerability (CVE-2016-1685) that was fixed in Firefox 66. On Windows, iframes that violate the Same Origin Policy could also be used to run scripts if the user clicked on a code>javascript:/code> link. This issue was fixed in Firefox 66.
Use-After-Free
: How to Prevent
This vulnerability was discovered by Nelson Elhage who reported the issue to Mozilla. He found it in a Firefox 62 ESR release candidate that he downloaded from a Mozilla FTP server. He found that JavaScript code> links were not being blocked by default. This allowed for clickjacking attacks via iframes that violate the Same Origin Policy. The vulnerability was fixed in Firefox 62 ESR and Firefox 66 ESR, Thunderbird 52 and Thunderbird 60, and SeaMonkey 2.49 on Windows, as well as Firefox ESR 45.7.0 on Linux.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 18:01:00 UTC