Closed Bug 1822298 Opened 1 year ago Closed 1 year ago

Block the fullscreen notification on Android using download popups + keyboard + landscape

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Version:
Firefox 111
Platform:
Other
Android
Type:
defect

Tracking

(firefox111 wontfix, firefox112 fixed, firefox113 fixed)

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox111 --- wontfix
firefox112 --- fixed
firefox113 --- fixed

People

(Reporter: haxatron1, Assigned: petru)

References

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

fullscreen-bypass.html
2.49 KB, text/html
Details
mobizen_20230314_212133.mp4
1.72 MB, video/mp4
Details
advisory.txt
12 bytes, text/plain
Details
Attached file fullscreen-bypass.html

Using a long download popup + keyboard, it is possible to push the fullscreen notification out of bounds on FF for Android.

STR

  1. Go to landscape mode.
  2. Click on input button in Firefox (tested on Nightly version)
Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
OS: Unspecified → Android
Product: Firefox → Fenix
Hardware: Unspecified → Other
Version: unspecified → Firefox 111

Video.

Agree that this is a variation of bug 1783561.
Even though the download dialog is smaller than the screen and there should be enough space left to show the fullscreen snackbar if the keyboard is also showing then there won't be any available space for the the snackbar.

This would be fixed by bug 1816059.

Depends on: CVE-2023-29534

Thanks, is this a duplicate of bug 1816059?

It is provisionally a duplicate, but we'll see if that actually fixes this rather than jump the gun with an assumption.

See Also: → 1821576

The fix for bug 1816059 is now live in the latest Nightly.
It should ensure that the message informing users about the page entering fullscreen cannot be obscured anymore.
@haxatron1 Can you confirm that applies for this issue also?

Flags: needinfo?(haxatron1)

yes it seems fixed.

Flags: needinfo?(haxatron1)

Thank you!
Closing this as fixed.
Tom to handle the bounty status.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(tom)
Resolution: --- → FIXED

We will address it in the weekly bounty meeting, thanks!

Flags: needinfo?(tom)
Assignee: nobody → petru.lingurar
Group: mobile-core-security → core-security-release
status-firefox111: --- → wontfix
status-firefox112: --- → fixed
status-firefox113: --- → fixed
Target Milestone: --- → 113 Branch

As we expected, this did turn out to be fixed by the redesigned mechanism in bug 1816059 making this essentially a dupe for purposes of the bug bounty.

Flags: sec-bounty? → sec-bounty-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: