Closed Bug 1317242 (CVE-2017-7770) Opened 3 years ago Closed 3 years ago

Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded using the alert()

Categories

(Firefox for Android :: General, defect)

49 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr45 --- wontfix
fennec 53+ ---
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: jordi.chancel, Assigned: cnevinchen)

References

()

Details

(Keywords: sec-moderate, Whiteboard: fixed by bug 1319366)

Attachments

(3 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20161019084923

Steps to reproduce:

Steps to reproduce:

When you go on the fullscreen mode and you load after a new tab with the alert(); , the location bar has disappeared.

1 : Go on http://www.alternativ-testing.fr/Research/Mozilla/android/-K8H4D0-Location_Bar_Spoofing-FullScreen-and-alert-JavaScript-Function/TESTCASE1.HTML and click on the first link (this will activated Fullscreen Mode).

2 : Click on the second link , a new tab will be openned which contains a webpage which load the JavaScript alert(); Function.



Actual results:

Actual results:

Now the location bar is invisible (even if you try to press the back button on android , the location bar has disappeared for always)

you ca use now a fake location bar (leading to a Location Bar Spoofing)



Expected results:

After all these steps, you can use a fake location bar (leading to a Location Bar Spoofing).
tracking-fennec: --- → ?
This is reproducible in all release channels.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file Video Example.html
Attached image no-toolbar.png
This is how it looks like on my phone.
@snorp: My guess is that this is more platform-y, what do you think? Otherwise someone from the Taipei team could investigate.
Flags: needinfo?(snorp)
Actually this looks a lot like the same issue as bug 1319366: Clicking a link while in full-screen mode using Google slides makes the navigation bar go black.
I've coded a better TestCase nedding only one Click on the first Link in TestCase WebPage. 

URL: https://www.alternativ-testing.fr/Research/Mozilla/android/-K8H4D0-Location_Bar_Spoofing-FullScreen-and-alert-JavaScript-Function/TESTCASE2.html 

I will upload video example as soon as possible.

I change the URL of the first TESTCASE used by this new TESTCASE.
Summary: Firefox for Android : Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded which contains a webpage using the alert(); JavaScript Function → Location Bar Spoofing Risk using the Fullscreen mode and a new tab loaded using the alert()
Flags: sec-bounty?
Yeah I think this is basically a frontend bug, similar to 1319366 as Sebastian said.
Flags: needinfo?(snorp)
tracking-fennec: ? → 53+
Hey Nevin. This security bug looks like it is the same problem as bug 1319366. If you find a solution for bug 1319366 then can you check whether this one here is fixed too?
Assignee: nobody → cnevinchen
Suggest to close this bug since bug 1319366 is landed
Flags: needinfo?(s.kaspari)
Can you test if this is fixed for the steps in comment 0? If so then let's close it.
Flags: needinfo?(s.kaspari)
Attached video 1317242.mp4
It looks fixed to me. So I'll close this bug.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1319366
Flags: sec-bounty? → sec-bounty+
Be extremely careful about marking security bugs as duplicates! This will almost completely hide the fact that a security bug was fixed which means at the very least:
 - QA never verifies the security fix
 - no advisories are written
 - no CVE is assigned
 - reporter gets no credit, and might even miss out on the bounty itself if no one notices
 - no testcase for the security bug gets added to the tree

This is essentially absolute when the duplicate is a non-security bug. Mark the security bug "depends on" the other bug and call it FIXED.

If the proposed duplicate is a security bug is it really the same? If the primary bug is in any way of a larger scope or has a different testcase then it's not a duplicate, it's a "depends on" relationship.
Depends on: 1319366
Resolution: DUPLICATE → FIXED
Whiteboard: fixed by bug 1319366
Alias: CVE-2017-7770
Flags: needinfo?(cnevinchen)
Hi Daniel, Al
Got it. Thank you! May I know is there's anything I can do now?
Flags: needinfo?(cnevinchen)
Group: firefox-core-security → core-security-release
No, nothing to do. I only set needinfo? to make sure you saw the comment. :-)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.