If you use Firefox, Firefox ESR, or Thunderbird, you should pay close attention to CVE-2023-5721. This vulnerability, fixed in late 2023, let attackers trick users into approving browser prompts and dialogs without meaning to—just because there wasn’t enough of a delay between their appearance and your next click.
Let’s break down what happened, see how it could be abused, and look at some real code so you can better understand what went on under the hood.
What Exactly Was CVE-2023-5721?
When a website needs your permission for something sensitive—say, access to your camera, microphone, or the ability to install an extension—it pops up a browser dialog. To stop websites from hijacking your clicks, browsers like Firefox put a short “activation delay” on these dialogs. The user can’t approve the dialog instantly; they have to wait a brief moment before their click counts.
Thunderbird before 115.4.1
the activation-delay was either missing or just too short. Attackers could activate a dialog and piggyback on your next click, causing unintentional permissions—maybe even one you meant for another part of the page!
You’re playing a game on a website.
2. Suddenly, just before you click the next level, a browser prompt (like a “Allow notifications?” dialog) sneaks in under your pointer.
3. If there’s no delay, your innocent click says “Yes, please allow notifications”—even though you never meant to.
Browsers must slow down these prompts just enough to avoid abuse, but not so much that it annoys users.
The Trick
Here’s a simple scenario in code. JavaScript running on a site waits for the user to click something and then throws up a dialog at the exact moment you click:
button.addEventListener('click', function() {
// After the button is clicked, immediately ask for permission
Notification.requestPermission().then(function(permission) {
// ...
});
});
In a vulnerable browser (Firefox <119, ESR <115.4, Thunderbird <115.4.1), if there isn’t enough delay before the dialog, your click could “leak through”—not to the button, but to the prompt. If that click lines up just right, you might grant permission by accident.
Stacking the Deck
A malicious site could use CSS and JavaScript to place an invisible button under your pointer, then quickly trigger a dialog as you click. The key is that the OS (or browser) counts your last click *for the dialog*—not for the original button.
Proof-of-Concept (PoC): A Basic Example
Related bug reports have been somewhat reserved with live exploits due to security risks, but here’s a simplified proof-of-concept showing how quick dialogs can be abused:
<!DOCTYPE html>
<html>
<body>
<button id="trick">Click Me!</button>
<script>
document.getElementById('trick').addEventListener('click', function() {
// Prompt right on click
Notification.requestPermission();
});
</script>
</body>
</html>
On a vulnerable version, clicking the button and dialog would pop up so quickly that your original click could count as “Allow” for notifications, rather than the original intent.
Thunderbird before v115.4.1
All platforms: Linux, Windows, macOS, any place these apps run.
The Fix
The solution was to re-introduce a sensible delay (activation-delay) before allowing any user interaction with permission dialogs or prompts. Now, if a website tries to surprise you, you still have to wait just a bit before you can click. This closes the “clickjacking” window.
References and Further Reading
- Mozilla Foundation Security Advisory 2023-44
- CVE Details: CVE-2023-5721
- Firefox ESR Release Notes 115.4
Conclusion
CVE-2023-5721 reminds us that even tiny timing bugs can have a big impact. An insufficient activation-delay might sound minor, but it’s the kind of loophole attackers love. Always keep your software up-to-date and be aware of how browsers handle permission prompts—because one hasty click shouldn’t cost you your privacy.
Have you ever seen a dialog pop up just when you were about to click? Let us know your experiences in the comments below! Stay safe and update your browsers!
Timeline
Published on: 10/25/2023 18:17:43 UTC
Last modified on: 11/01/2023 19:24:31 UTC