Closed
Bug 1317242
(CVE-2017-7770)
Opened 8 years ago
Closed 8 years ago
Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded using the alert()
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox-esr45 wontfix, fennec53+, firefox-esr52 wontfix, firefox53 wontfix, firefox54 fixed)
People
(Reporter: jordi.chancel, Assigned: cnevinchen)
References
()
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: fixed by bug 1319366)
Attachments
(3 files)
no-toolbar.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20161019084923
Steps to reproduce:
Steps to reproduce:
When you go on the fullscreen mode and you load after a new tab with the alert(); , the location bar has disappeared.
1 : Go on http://www.alternativ-testing.fr/Research/Mozilla/android/-K8H4D0-Location_Bar_Spoofing-FullScreen-and-alert-JavaScript-Function/TESTCASE1.HTML and click on the first link (this will activated Fullscreen Mode).
2 : Click on the second link , a new tab will be openned which contains a webpage which load the JavaScript alert(); Function.
Actual results:
Actual results:
Now the location bar is invisible (even if you try to press the back button on android , the location bar has disappeared for always)
you ca use now a fake location bar (leading to a Location Bar Spoofing)
Expected results:
After all these steps, you can use a fake location bar (leading to a Location Bar Spoofing).
|
Reporter | |
Updated•8 years ago
|
|
||
Updated•8 years ago
|
tracking-fennec: --- → ?
|
|
||
Comment 1•8 years ago
|
||
This is reproducible in all release channels.
Status: UNCONFIRMED → NEW
status-firefox50:
--- → affected
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox53:
--- → affected
status-firefox-esr45:
--- → affected
Ever confirmed: true
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
|
||
Comment 3•8 years ago
|
||
This is how it looks like on my phone.
|
|
||
Comment 4•8 years ago
|
||
@snorp: My guess is that this is more platform-y, what do you think? Otherwise someone from the Taipei team could investigate.
Flags: needinfo?(snorp)
|
|
||
Comment 5•8 years ago
|
||
Actually this looks a lot like the same issue as bug 1319366: Clicking a link while in full-screen mode using Google slides makes the navigation bar go black.
|
|
Reporter | |
Comment 6•8 years ago
|
||
I've coded a better TestCase nedding only one Click on the first Link in TestCase WebPage.
URL: https://www.alternativ-testing.fr/Research/Mozilla/android/-K8H4D0-Location_Bar_Spoofing-FullScreen-and-alert-JavaScript-Function/TESTCASE2.html
I will upload video example as soon as possible.
I change the URL of the first TESTCASE used by this new TESTCASE.
|
||
Updated•8 years ago
|
Summary: Firefox for Android : Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded which contains a webpage using the alert(); JavaScript Function → Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded using the alert()
|
|
||
Updated•8 years ago
|
Flags: sec-bounty?
Yeah I think this is basically a frontend bug, similar to 1319366 as Sebastian said.
Flags: needinfo?(snorp)
tracking-fennec: ? → 53+
|
|
||
Comment 8•8 years ago
|
||
Hey Nevin. This security bug looks like it is the same problem as bug 1319366. If you find a solution for bug 1319366 then can you check whether this one here is fixed too?
Assignee: nobody → cnevinchen
|
||
Updated•8 years ago
|
Keywords: sec-moderate
|
Assignee | |
Comment 9•8 years ago
|
||
Suggest to close this bug since bug 1319366 is landed
Flags: needinfo?(s.kaspari)
|
|
||
Comment 10•8 years ago
|
||
Can you test if this is fixed for the steps in comment 0? If so then let's close it.
Flags: needinfo?(s.kaspari)
|
|
Assignee | |
Comment 11•8 years ago
|
||
It looks fixed to me. So I'll close this bug.
|
|
Assignee | |
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Comment 13•8 years ago
|
||
Be extremely careful about marking security bugs as duplicates! This will almost completely hide the fact that a security bug was fixed which means at the very least:
- QA never verifies the security fix
- no advisories are written
- no CVE is assigned
- reporter gets no credit, and might even miss out on the bounty itself if no one notices
- no testcase for the security bug gets added to the tree
This is essentially absolute when the duplicate is a non-security bug. Mark the security bug "depends on" the other bug and call it FIXED.
If the proposed duplicate is a security bug is it really the same? If the primary bug is in any way of a larger scope or has a different testcase then it's not a duplicate, it's a "depends on" relationship.
status-firefox50:
affected → ---
status-firefox51:
affected → ---
status-firefox52:
affected → ---
status-firefox54:
--- → fixed
status-firefox-esr52:
--- → wontfix
Depends on: 1319366
Resolution: DUPLICATE → FIXED
Whiteboard: fixed by bug 1319366
|
|
||
Updated•8 years ago
|
Alias: CVE-2017-7770
|
|
||
Updated•8 years ago
|
Flags: needinfo?(cnevinchen)
|
|
Assignee | |
Comment 14•8 years ago
|
||
Hi Daniel, Al
Got it. Thank you! May I know is there's anything I can do now?
Flags: needinfo?(cnevinchen)
|
|
||
Updated•8 years ago
|
Group: firefox-core-security → core-security-release
|
|
||
Comment 15•8 years ago
|
||
No, nothing to do. I only set needinfo? to make sure you saw the comment. :-)
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•