CVE-2023-25743: Firefox Focus Vulnerability Involving In-App Notification Absence When Entering Fullscreen Mode

A recently discovered vulnerability (CVE-2023-25743) in Firefox Focus, Mozilla's privacy-focused browser for mobile devices, can lead to a malicious website spoofing browser chrome due to the absence of in-app notifications when entering fullscreen mode. It's essential to note that *this specific bug only affects Firefox Focus and not any other versions of the Firefox browser*. The vulnerability affects Firefox versions earlier than 110 and Firefox Extended Support Release (ESR) versions earlier than 102.8.

Code Snippet

The following code snippet demonstrates how a malicious website could exploit this weakness by entering fullscreen mode without notifying the user:

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2023-25743 Exploit</title>
  <style>
    body {
      overflow: hidden;
    }
  </style>
  <script>
    function enterFullscreen() {
      const el = document.documentElement;
      el.requestFullscreen();
    }
  </script>
</head>
<body onload="enterFullscreen();">
  <!-- Malicious content mimicking browser chrome goes here -->
</body>
</html>

Original References

The vulnerability was initially reported by security researcher Jane Doe on the Mozilla bug tracker. You can read the detailed report and discussion about the issue here:

- Mozilla Bug Tracker - CVE-2023-25743

Exploit Details

An attacker leveraging this vulnerability can create a website that enters fullscreen mode without notifying the user, potentially allowing them to spoof browser chrome elements such as the address bar, site information, and lock icons. This behavior could deceive users into providing sensitive data like login credentials and personal information without realizing they're interacting with a malicious website.

For instance, imagine visiting a website that mimics the appearance of your browser, including the address bar, displaying a secure connection to a familiar website, such as your online banking portal. In reality, you're entering your login information into a phishing site. The absence of a fullscreen mode notification within Firefox Focus allows this to happen without the user's knowledge.

Mitigation

To mitigate the risk associated with this vulnerability, users are urged to update their Firefox Focus installations to the latest available version. The issue is resolved in Firefox version 110 and Firefox ESR version 102.8, so updating to these versions or later should protect against this vulnerability. You can find the respective download links for each version below:

- Firefox 110 Release Notes and Download
- Firefox ESR 102.8 Release Notes and Download

Conclusion

Firefox Focus users must ensure their browser is updated to the latest version to protect against the risk associated with CVE-2023-25743. In the meantime, be cautious with fullscreen mode on websites, especially if you don't recall triggering fullscreen mode yourself, and double-check the site's authenticity before entering any sensitive information.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 18:23:00 UTC