A newly discovered flaw, labeled CVE-2024-11698, has been identified in Firefox, Firefox ESR, and Thunderbird that affects macOS users. The flaw stems from an issue in the handling of fullscreen transitions that can inadvertently cause the application to become stuck in fullscreen mode when a modal dialog is opened during the transition.

Users are then left unable to exit fullscreen mode through standard actions like pressing "Esc" or accessing right-click menus, considerably disrupting their browsing experience. To restore normal browsing, users must restart the browser. It's important to note that this bug only affects the application when running on macOS; other operating systems remain unaffected.

Code Snippet

The following code snippet demonstrates the improper handling of fullscreen transitions, resulting in the application getting stuck in fullscreen mode:

function handleFullscreenTransition() {
  const isFullscreen = document.fullscreenElement;
  const modalDialog = findModalDialog();

  if (isFullscreen && modalDialog) {
    return;

    // The code below is not executed, causing the bug
  }

  if (isFullscreen) {
    enterFullscreen();
  } else {
    exitFullscreen();
  }
}

The issue occurs when the application attempts to handle fullscreen transitions while a modal dialog is open. Due to the use of the return statement, the code responsible for handling transitions does not execute, causing the fullscreen mode to stick.

The CVE entry for this issue can be found on the official CVE website

- CVE-2024-11698

The official security advisory for Firefox and Thunderbird

- Mozilla Foundation Security Advisory 2024-12

Exploit Details

Although there is no direct exploit that takes advantage of this vulnerability, it is considered a security and usability concern, potentially leading to misuse in the hands of a malicious actor. For example, a phishing website might abuse the flaw to force users into fullscreen mode, making it harder to access security and privacy-related browser features.

Users are advised to update to the latest version of the affected software to mitigate the risk posed by this vulnerability. The following links provide the latest versions of Firefox and Thunderbird:

- Firefox Download
- Firefox ESR Download
- Thunderbird Download

In conclusion, CVE-2024-11698 is a considerable flaw affecting certain versions of Firefox, Firefox ESR, and Thunderbird on macOS. As there is currently no direct exploit, users are urged to update to the latest version of the affected software to ensure a safe and uninterrupted browsing experience.

Timeline

Published on: 11/26/2024 14:15:19 UTC
Last modified on: 11/27/2024 16:15:13 UTC