CVE CyberSecurity Database News

CVE-2023-4051 - How Firefox’s File Dialog Could Hide Full Screen Notifications (With Exploit Details)

Poster -

When browsing the web, you expect the browser to protect you from deceptive websites. One important way Firefox does this is by showing a clear notification whenever a website requests full screen — so you always know when a website tries to take over your entire display.

But in CVE-2023-4051, discovered in Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2, there was a flaw: A website could launch the File Open Dialog right as it went full screen, completely blocking that important notification. This could allow attackers to trick you about what’s really happening — a perfect setup for “spoofing.”

In this long read, we’ll walk through what went wrong, demonstrate the vulnerability with code, show how it could be abused, and point you to the original references. Let’s dive in.

What Happened? (In Simple Terms)

Normally, if a site tries to go full screen, Firefox displays a notification along the top of your screen like this:

> “This page is now full screen. Press Esc to exit.”

But a clever attacker figured out you could call the file picker dialog (like when choosing photos to upload) at exactly the right time — and that system dialog would block out the full screen notification! So, users could be fooled into thinking something else is going on, all while the site has full screen control.

Why is this dangerous? Because hiding the full screen notification is a classic trick for phishing, fake “login” prompts, and other visual spoofing attacks.

Exploit Code (Step By Step)

Let’s look at a simple way an attacker could abuse this bug. Here’s a code snippet that demonstrates the core idea:

<!DOCTYPE html>
<html>
  <body>
    <button id="goFullScreen">Click to Start</button>
    <input type="file" id="fileInput" style="display:none"/>
    <script>
      document.getElementById('goFullScreen').onclick = function() {
        // Step 1: Go Fullscreen
        document.documentElement.requestFullscreen().then(() => {
          // Step 2: Immediately open the file picker dialog
          document.getElementById('fileInput').click();
        });
      };
    </script>
  </body>
</html>

The file picker dialog pops up immediately, hiding the browser’s full screen notification.

The user never sees the warning and might think the file picker was part of something safe — or just be generally confused.

Here are some classic phishing/spoofing tricks

- Fake Login Pages: Create a site that looks like a popular service. After going full screen (and covering up the notification), show a fake login prompt. Victims may think it’s authentic.
- Mimic Browser UI: Full screen mode lets attackers paint the screen however they wish, even faking address bars, security indicators, or buttons.
- Mislead File Uploads: Trick users into uploading files by making them think it’s a trusted action, when really it’s not.

If the full screen notification isn’t visible, users lose an important protection.

Thunderbird: All versions < 115.2

These are now patched, but if you or your organization is running an old version, you’re still at risk.

How Did Mozilla Fix It?

The fix ensures the full screen warning cannot be bypassed by dialog boxes or overlays. The notification is now reliably shown over everything, so users know when a site takes control of the whole screen.

Reference to the fix:  
Mozilla Bug 1842664 - Full screen notification is obscured by file picker

Recommendations

1. Update Your Browser! Always run the latest version of Firefox (or Thunderbird/ESR) to get security fixes.
2. Watch for Deceptive Prompts: Even with the fix, don’t trust sites that unexpectedly ask for files while going full screen.
3. Educate Users: For organizations, make sure users are aware that browsers use full screen warnings for their safety.

Further Reading & References

- Mozilla Security Advisory MFSA 2023-30
- CVE Entry on MITRE
- Bugzilla Full Fix Discussion

Conclusion

CVE-2023-4051 was a subtle but dangerous vulnerability: it let attackers obscure a critical security warning, opening the door for spoofing and confusion. This is a reminder that even small UI details matter in browser security — and why it’s essential to keep your software up to date.

Stay safe and always double check: if something looks off in your browser, trust your instincts and hit Esc to leave full screen mode.


*Written exclusively for you — feel free to share to help others stay secure!*

Timeline

Published on: 08/01/2023 15:15:00 UTC
Last modified on: 09/11/2023 09:15:00 UTC