When you’re browsing the web, your browser tries to protect you from shady sites asking for too much. Those “Allow Notifications?” popups are supposed to keep you in control. But in Summer 2023, a bug in Firefox’s notification system made it much easier for a sneaky website to trick you into giving permissions you never meant to allow.
Let’s break down what happened with CVE-2023-4047—the bug, the risk, and how the exploit could work.
What is CVE-2023-4047?
CVE-2023-4047 is a security vulnerability in Firefox revealed by Mozilla on August 1, 2023. This bug affected:
Firefox ESR < 115.1
Description:
A bug in how Firefox calculates notification popup delays could let attackers trick users into granting permissions, like notifications or camera/mic access, by making permission dialogs appear at surprising times or in unexpected contexts.
References:
- Mozilla Security Advisory MFSA 2023-30
- NIST CVE Database: CVE-2023-4047
Technical Details: Why Did This Happen?
Browsers try to prevent “permission spam” by putting a delay between when a website loads and when it can prompt you for sensitive permissions. This delay builds on the assumption that annoying requests will come immediately—so popups only appear after you’ve been on the page for a while or interacted with it.
With CVE-2023-4047, a flaw in Firefox’s delay calculation let attackers bypass these protections.
Under some circumstances, the site could reset or avoid the delay, causing permission popups to appear instantly or at times that could “blend in” with user actions, making it far easier to click “Allow” by mistake.
Here’s an example how a malicious website might abuse this bug
// Attacker's code snippet to trigger permission popup at a precise moment
setTimeout(() => {
Notification.requestPermission().then(permission => {
if (permission === 'granted') {
// Send spam notifications, harvest data, etc.
}
});
}, 10); // Triggers almost immediately after reload or a tricked interaction
In affected versions, the built-in delay protection could be tricked (or even triggered multiple times), leading to back-to-back permission prompts.
User visits a website controlled by the attacker.
2. The attacker uses JavaScript to quietly reset or bypass the permission delay logic, using reloads, redirects, or simulated interactions.
3. At a carefully chosen time (for example, right after the user clicks a button), the permission popup appears.
4. Because the popup appears when the user expects some other action, they are more likely to click "Allow" without realizing they're granting a persistent permission (notifications, camera, mic, etc).
Trigger phishing attacks (with notifications mimicking OS warnings)
- Possibly escalate access to camera/microphone (depending on context)
Who was vulnerable?
Anyone using Firefox before version 116, or the enterprise ESR releases before 102.14 or 115.1.
Clipboard access (in some contexts)
Why does this matter?
Attackers love to “trick the click.” By making popups appear at the perfect moment, they subvert your expectations—making you more likely to trust or quickly dismiss the warning. And once a website has persistent permission, they can keep bothering you (or worse) until you revoke that access.
How Was It Fixed?
Mozilla patched CVE-2023-4047 in Firefox 116 and the newer ESR releases. The fix made sure delays for permission prompts could not be bypassed or reset through clever scripting, making the popup behavior more predictable for users.
Conclusion: How to Stay Safe
CVE-2023-4047 is a reminder that even simple delays in UI can be a key security defense—and a target for attackers. Here are some tips:
Review website permissions in your browser settings, and remove anything suspicious.
Stay in control of your browser—and don’t let clever bugs or attackers take the reins!
Further Reading
- Mozilla Security Advisories
- NIST NVD: CVE-2023-4047
Thanks for reading! If you found this helpful, consider sharing with your friends to keep everyone safer online.
Timeline
Published on: 08/01/2023 15:15:00 UTC
Last modified on: 08/09/2023 21:15:00 UTC