CVE CyberSecurity Database News

CVE-2024-11698 - Stuck in Fullscreen—A macOS Flaw That Traps Firefox and Thunderbird

Poster -

Imagine going fullscreen in Firefox or Thunderbird on your Mac, then opening a dialog—maybe a download prompt or a permissions pop-up. The screen darkens, the dialog appears, and suddenly you’re stuck. Pressing "Esc" doesn’t help. Right-click menus are gone. You’re trapped in fullscreen, the browser won’t listen, and your only escape is to force-quit or restart.

This is not a hypothetical. It’s a real vulnerability: CVE-2024-11698, reported and patched by Mozilla in early 2024. The bug only affects Mac users running Firefox versions before 133, Firefox ESR before 128.5, and Thunderbird before 133 or 128.5. Windows and Linux users were never at risk.

Let’s break down what happened, how it works, and why it matters.

What Caused the Bug?

At its heart, this flaw comes from the way fullscreen transitions were coded to interact with modal dialogs on macOS. Browsers often use a "fullscreen mode" to let you focus on content. Meanwhile, modal dialogs are special pop-ups—like permission requests—that grab all your attention and block any other actions until they're closed.

When these two features meet just as fullscreen is being activated, things go sideways. The browser code failed to reset the fullscreen state if a modal dialog appeared during transition. So, when a dialog opened at the wrong moment, the normal exit points ("Esc", right-click) were blocked and never restored.

Here’s a Simplified Look at the Problem

Below is a sample code snippet, abstracted for clarity. This isn’t the actual Firefox source, but it’s similar to what might cause such an issue:

// Pseudocode: Managing fullscreen transitions and modals

function enterFullscreen() {
    isTransitioning = true;
    document.requestFullscreen().then(() => {
        isTransitioning = false;
    });
}

function openModalDialog() {
    if (isTransitioning) {
        // ERROR: fullscreen state not properly handled here!
        showDialog();
        // No code to cancel or rollback the fullscreen transition
    } else {
        showDialog();
    }
}

// Later...
function onEscPressed() {
    if (document.fullscreenElement) {
        document.exitFullscreen();
    } else if (modalIsOpen()) {
        closeDialog();
    }
}

When a modal is triggered just as fullscreen is activating (isTransitioning), the state handling breaks. The result: The browser gets "stuck" thinking it’s still in fullscreen, but users can’t break out using normal shortcuts.

Scope

This isn’t a classic exploit like remote code execution, but it’s an annoying denial-of-service: A malicious website, knowing you’re on Mac Firefox < 133, could run this sequence:

setTimeout(() => {

alert("Are you sure you want to continue?"); // Triggers modal dialog
}, 100); // Slight delay triggers the bug
}

After closing the dialog, the “Esc” key and browser menus don’t restore your window.

The user now has to force-quit the browser—closing all their tabs and possibly losing work.

Mozilla fixed this problem in the following security updates

- Firefox 133 release notes
- Thunderbird 133 release notes
- Firefox ESR 128.5. release notes
- Thunderbird ESR 128.5. release notes

The patch ensures any fullscreen state is reset properly if a modal dialog interrupts the process. Esc works again; users can leave fullscreen safely.

Recommendations

- Update Now: If you’re on macOS, and you use any affected version, update to the latest Firefox or Thunderbird immediately.
- Be Cautious with Unknown Websites: Avoid clicking "Allow" or "Enter Fullscreen" for sites you don’t trust, especially if you haven’t updated yet.
- If Stuck: As a last resort, use Cmd+Q to quit the browser, or access your Mac’s Force Quit menu (Cmd+Option+Esc).

References & Original Advisories

- Mozilla Security Advisory for CVE-2024-11698
- Firefox 133 Release Notes
- Thunderbird 133 Release Notes

Conclusion

CVE-2024-11698 highlights how complex browser features can unexpectedly collide—here, fullscreen mode and modal dialogs—leading to frustrating bugs and, potentially, denial-of-service exploits.

If you’re a Mac user, keep your browsers updated. If you’re a developer, always consider quirky edge cases in UI state management—because the smallest mishandling can lock users out of their own browsers.

Timeline

Published on: 11/26/2024 14:15:19 UTC
Last modified on: 11/27/2024 16:15:13 UTC