In October 2023, a new security vulnerability was discovered in Firefox, Thunderbird, and Firefox ESR on macOS systems. Identified as CVE-2023-5726, this bug made it possible for malicious websites to obscure critical fullscreen notifications by triggering the system file open dialog. This post explains, in simple terms, how this vulnerability worked, the risk it introduced, and what you should do to stay safe.
Note: Only Firefox, Firefox ESR, and Thunderbird on macOS were affected. Other operating systems like Windows and Linux were not impacted.
What Went Wrong?
When a website switches to fullscreen mode, Firefox displays a clear warning banner at the top of the screen. This notification helps users know when a website is taking over the whole screen, which protects against spoofing attacks—where a malicious site tries to look like something trustworthy, like your bank.
The Problem:
On macOS, a website could use JavaScript to open a file picker dialog immediately after entering fullscreen mode. Because macOS dialogs always appear on top of other content, this dialog would cover up the fullscreen notification banner. A clever attacker could exploit this to trick users into thinking they're interacting with a legitimate site, while they're actually talking to a fake interface generated by the attacker.
Here's a simple demo that shows how a site could trigger this behavior
<!DOCTYPE html>
<html>
<body>
<button id="goFullscreen">Go Fullscreen & Open File Dialog</button>
<input type="file" id="fileInput" style="display:none;">
<script>
document.getElementById('goFullscreen').onclick = async function() {
// Go fullscreen
await document.documentElement.requestFullscreen();
// Without delay, open file picker dialog
document.getElementById('fileInput').click();
}
</script>
</body>
</html>
The fullscreen notification appears behind the file dialog, so the user never sees it.
When the user closes the dialog, the fake content can resemble any trusted site—like an online bank or email login—making it easy to phishing and other attacks.
Why Does This Matter?
Fullscreen notifications are a crucial defense against website spoofing. If a site can hide these warnings, users may think they're on a legitimate system interface—when they're not. This opens the door for:
Thunderbird before 115.4.1 on macOS
Other operating systems were not affected.
Users who updated Firefox or Thunderbird to a patched version are protected.
References and Further Reading
- Mozilla Security Advisory 2023-44
- CVE-2023-5726 NIST Entry
- Bugzilla Report
Exploit Details
The exploit relies on the predictable layering of macOS (where dialogs can overlap fullscreen notifications) and the browser's event timing. It's not remotely exploitable on its own—you'd need a site visitor to click a button or take some action. But combined with other tricks (like social engineering), this can be quite dangerous.
The Fix
After reporting, Mozilla quickly fixed the bug. From Firefox 119 and Thunderbird 115.4.1 onwards, the browser no longer allows the file picker to cover up the fullscreen notification. Now, either the fullscreen state or the dialog is canceled to prevent confusion.
How To Protect Yourself
- Update your browser: Make sure you are using Firefox 119 or newer, or Thunderbird 115.4.1 or newer.
Conclusion
CVE-2023-5726 was a clever exploit relying on the intersection of browser behaviors and macOS window management. By understanding how attackers could abuse these gaps, software makers can build stronger, safer browsers. For users, the advice is simple: keep your software updated, and be alert for weird or unexpected dialogs or fullscreen requests.
If you use Firefox or Thunderbird on macOS, make sure you're on the latest version!
Stay safe, and always question what pops up on your screen!
Timeline
Published on: 10/25/2023 18:17:44 UTC
Last modified on: 11/02/2023 19:57:30 UTC