Closed Bug 1793829 (CVE-2022-45408) Opened 2 years ago Closed 2 years ago

Re-run window.open with same windowName allow focus stealing can be used to overlap fullscreen notification toast

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 107+ verified
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 + verified
firefox108 + verified

People

(Reporter: sourc7, Assigned: emilio)

References

(Regression)

Details

(Keywords: csectype-spoof, regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main107+][adv-esr102.5+])

Attachments

(5 files)

testcase.bundle.html
1.09 KB, text/html
Details
Firefox - Rerun window.open able to steal focus to overlap fullscreen notification toast.mp4
127.06 KB, video/mp4
Details
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr102+
tjr
: sec-approval+
Details | Review
Bug 1793829 - Add a test. r=hsivonen,peterv
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
272 bytes, text/plain
Details
Attached file testcase.bundle.html

After launch child popup window with window.open then re-run window.open with same windowName the child window able to repeatedly gain focus without requiring user click activation. With that method I found the child window popup able to overlap another popup fullscreen notification toast.

When run this on mozregression it point to this pushlog:

17:09.62 INFO: Last good revision: 566f81bfa373512b41c1a47962e21a06078d7bf8 (2021-02-08)
17:09.62 INFO: First bad revision: 89c5f958a3ac4795109acf1f9dff1c8026bb82fe (2021-02-09)
17:09.62 INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=566f81bfa373512b41c1a47962e21a06078d7bf8&tochange=89c5f958a3ac4795109acf1f9dff1c8026bb82fe

One of the pushlog that has window.open keyword is Take focus from window.open etc even if we're already active but not in the active window. On nsDocShell.cpp I've revert the shouldTakeFocus code to the old one, when re-run the window.open the child window wouldn't able to gain focus.

Tested on:

  • Firefox 105.0.2 (64-bit) on Arch Linux (KDE X11)
  • Firefox 105.0.2 (64-bit) on Arch Linux (KDE Wayland)
  • Firefox 105.0.2 (64-bit) on Ubuntu 22.04.1 LTS (Wayland)
  • Firefox Nightly 107.0a1 (2022-10-05) (64-bit) on Arch Linux (KDE X11)
  • Firefox Nightly 107.0a1 (2022-10-05) (64-bit) on Arch Linux (KDE Wayland)

Steps to reproduce:

  1. Visit attached testcase.bundle.html on Linux OS
  2. Click "Launch stealFocusWindow"
  3. Click "Launch requestFullscreenWindow"
  4. Click "requestFullscreen" on child popup window
  5. Fullscreen notification toast will be overlapped with child window
Flags: sec-bounty?

Emilio: this looks like a regression from bug 1691214; could you take a look?

On a quick try I couldn't reproduce on Mac, but I didn't dig into whether I have any settings that might be interfering.

Group: firefox-core-security → core-security
Component: Security → DOM: UI Events & Focus Handling
Flags: needinfo?(emilio)
Product: Firefox → Core
Regressed by: 1691214
Group: core-security → dom-core-security
Keywords: csectype-spoof, sec-high

Set release status flags based on info from the regressing bug 1691214

status-firefox105: --- → affected
status-firefox106: --- → affected
status-firefox107: --- → affected
status-firefox-esr102: --- → affected
Keywords: regression
Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)

Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: somewhat? The fix is kind of obvious.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: Bug 1691214
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Should graft cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: not likely. Again, the fix is obvious-ish.
  • Is Android affected?: No
Attachment #9297417 - Flags: sec-approval?

ni? to write a test when I have some time.

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)

Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen

Approved to land and uplift after beta branches

Attachment #9297417 - Flags: sec-approval? → sec-approval+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][reminder-test 2023-01-01]
Severity: -- → S2

Don't steal focus for navigations without user activation. r=hsivonen
https://hg.mozilla.org/integration/autoland/rev/71625a0f7411d2ec0f199f8c9b621713059be6bf
https://hg.mozilla.org/mozilla-central/rev/71625a0f7411

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox108: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
Flags: sec-bounty? → sec-bounty+

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox107 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen

Beta/Release Uplift Approval Request

  • User impact if declined: comment 0
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: comment 0
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Rather simple tweak.
  • String changes made/needed: none
  • Is Android affected?: No
Flags: needinfo?(emilio)
Attachment #9297417 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen

Approved for 107.0b3.

Attachment #9297417 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Verified as fixed in our latest Nightly Build as well as Beta 107.0b3.

status-firefox107: fixedverified
status-firefox108: fixedverified

:emilio this grafts cleanly to esr102, if you could submit an ESR uplift request when ready

Flags: needinfo?(emilio)

Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen

Beta/Release Uplift Approval Request

  • User impact if declined: Comment 0
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: comment 0
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Relatively trivial fix to avoid stealing focus in some cases without a user interaction.
  • String changes made/needed: none
  • Is Android affected?: No
Flags: needinfo?(emilio)
Attachment #9297417 - Flags: approval-mozilla-release?
Attachment #9297417 - Flags: approval-mozilla-release? → approval-mozilla-esr102?

Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen

Approved for 102.5esr.

Attachment #9297417 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

Verified as fixed in our latest Esr 102.5.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox-esr102: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][reminder-test 2023-01-01] → [reporter-external] [client-bounty-form] [verif?][reminder-test 2023-01-01][adv-main107+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][reminder-test 2023-01-01][adv-main107+] → [reporter-external] [client-bounty-form] [verif?][reminder-test 2023-01-01][adv-main107+][adv-esr102.5+]
Alias: CVE-2022-45408

3 months ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2023-01-01] .

emilio, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(emilio)
Whiteboard: [reporter-external] [client-bounty-form] [verif?][reminder-test 2023-01-01][adv-main107+][adv-esr102.5+] → [reporter-external] [client-bounty-form] [verif?][adv-main107+][adv-esr102.5+]

Guess I can land the test now?

Flags: needinfo?(emilio) → needinfo?(tom)

Yes!

Flags: needinfo?(tom)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: