1538402 - Custom cursor goes over native doorhanger notifications

Status: NEW

(Core :: Layout, defect, P3)

Description

[Oli]

Attachment: video of malicious site

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Build ID: 20190322101035

Just like with bug 1445844 a custom cursor can move over native doorhanger notifications.
Check this video: https://i.imgur.com/4aQeyBz.mp4
(The cursor does not really flash like in the video, that's from the recording software.)

As you can see the custom cursor goes many pixels into the doorhanger.

This is from the following malicious website (still live):
hxxps://s3.us-east-2.amazonaws.com/rsscfr/de/index.html
(malicious XPI here: hxxp://s3.us-east-2.amazonaws.com/exyyt/de.xpi)

Comment 1

[Emilio Cobos Álvarez (:emilio)]

Not sure how much do we want to prioritize this... Though this is probably quite hard to solve without making doorhangers really fat / ugly, or very non-trivial changes...

Maybe we could do some more extra cursor filtering in the parent process, where I could potentially look at other widget's position. Would need to think about it.

Maybe Johann knows how native doorhangers are represented... Are they just a popup? How are they built?

Comment 2

[Johann Hofmann [:johannh]]

Yeah, it's a XUL Panel, AFAIU. Not sure what other information you might need.

Not sure how much do we want to prioritize this... Though this is probably quite hard to solve without making doorhangers really fat / ugly, or very non-trivial changes...

I guess it's mostly up to you (I don't have time to even start thinking about how to approach this), though I'd say these doorhangers are kind of the most high value target that an attacker could want to hit, since they allow installing extensions, obtaining device permissions, etc.

Let me know if you need anything else!

Thanks :)