CVE-2022-38474 A website with microphone access could record audio without notification.

The issue exists because Firefox for Android does not do any checks on the origin of web content before showing a notification about it. This means that an attacker could trick a user into granting permission to a website by sending the user a link for a website that the user does not trust. In Firefox  104, the link that is shown in the pop-up window about audio notification could have been recorded by a malicious third party and displayed as if it came from the website itself.

Vulnerability Details

A vulnerability exists in Firefox for Android because it does not do any checks on the origin of web content before showing a notification about it. This means that an attacker could trick a user into granting permission to a website by sending them a link for a website that the user does not trust. In Firefox 104, the link that is shown in the pop-up window about audio notification could have been recorded by malicious third parties and displayed as if it came from the website itself.
The issue has been fixed before release of Firefox 104.

CVE-2023-38473

The issue exists because Firefox for Android does not do any checks on the origin of web content before showing a notification about it. This means that an attacker could trick a user into granting permission to a website by sending the user a link for a website that the user does not trust. In Firefox  104, the link that is shown in the pop-up window about audio notification could have been recorded by a malicious third party and displayed as if it came from the website itself.

CVE-2023-38475

The issue exists because the notification window for audio notifications does not have any indication of the actual origin of the notification. This means that an attacker could trick a user into granting permission to a website by sending the user a link for a website that the user does not trust.

In Firefox 105, Firefox will show you additional information about the website that is displaying this notification.

CVE-2023-38478

An attacker can convince a user to grant permission for a website to access their camera or microphone. The issue is that Firefox for Android does not do any checks on the origin of web content before showing notification about it. This means that an attacker could trick a user into granting permission for a website to access their camera or microphone by sending the user a link that states that it will show them videos from their camera or record audio through their microphone.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 21:11:00 UTC

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1719511
• https://www.mozilla.org/security/advisories/mfsa2022-33/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38474