Closed Bug 1317242 (CVE-2017-7770) Opened 3 years ago Closed 3 years ago

Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded using the alert()


(Firefox for Android :: General, defect)

49 Branch
Not set



Tracking Status
firefox-esr45 --- wontfix
fennec 53+ ---
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed


(Reporter: jordi.chancel, Assigned: cnevinchen)




(Keywords: sec-moderate, Whiteboard: fixed by bug 1319366)


(3 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20161019084923

Steps to reproduce:

Steps to reproduce:

When you go on the fullscreen mode and you load after a new tab with the alert(); , the location bar has disappeared.

1 : Go on and click on the first link (this will activated Fullscreen Mode).

2 : Click on the second link , a new tab will be openned which contains a webpage which load the JavaScript alert(); Function.

Actual results:

Actual results:

Now the location bar is invisible (even if you try to press the back button on android , the location bar has disappeared for always)

you ca use now a fake location bar (leading to a Location Bar Spoofing)

Expected results:

After all these steps, you can use a fake location bar (leading to a Location Bar Spoofing).
tracking-fennec: --- → ?
This is reproducible in all release channels.
Ever confirmed: true
Attached file Video Example.html
Attached image no-toolbar.png
This is how it looks like on my phone.
@snorp: My guess is that this is more platform-y, what do you think? Otherwise someone from the Taipei team could investigate.
Flags: needinfo?(snorp)
Actually this looks a lot like the same issue as bug 1319366: Clicking a link while in full-screen mode using Google slides makes the navigation bar go black.
I've coded a better TestCase nedding only one Click on the first Link in TestCase WebPage. 


I will upload video example as soon as possible.

I change the URL of the first TESTCASE used by this new TESTCASE.
Summary: Firefox for Android : Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded which contains a webpage using the alert(); JavaScript Function → Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded using the alert()
Flags: sec-bounty?
Yeah I think this is basically a frontend bug, similar to 1319366 as Sebastian said.
Flags: needinfo?(snorp)
tracking-fennec: ? → 53+
Hey Nevin. This security bug looks like it is the same problem as bug 1319366. If you find a solution for bug 1319366 then can you check whether this one here is fixed too?
Assignee: nobody → cnevinchen
Suggest to close this bug since bug 1319366 is landed
Flags: needinfo?(s.kaspari)
Can you test if this is fixed for the steps in comment 0? If so then let's close it.
Flags: needinfo?(s.kaspari)
Attached video 1317242.mp4
It looks fixed to me. So I'll close this bug.
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1319366
Flags: sec-bounty? → sec-bounty+
Be extremely careful about marking security bugs as duplicates! This will almost completely hide the fact that a security bug was fixed which means at the very least:
 - QA never verifies the security fix
 - no advisories are written
 - no CVE is assigned
 - reporter gets no credit, and might even miss out on the bounty itself if no one notices
 - no testcase for the security bug gets added to the tree

This is essentially absolute when the duplicate is a non-security bug. Mark the security bug "depends on" the other bug and call it FIXED.

If the proposed duplicate is a security bug is it really the same? If the primary bug is in any way of a larger scope or has a different testcase then it's not a duplicate, it's a "depends on" relationship.
Depends on: 1319366
Whiteboard: fixed by bug 1319366
Alias: CVE-2017-7770
Flags: needinfo?(cnevinchen)
Hi Daniel, Al
Got it. Thank you! May I know is there's anything I can do now?
Flags: needinfo?(cnevinchen)
Group: firefox-core-security → core-security-release
No, nothing to do. I only set needinfo? to make sure you saw the comment. :-)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.