Closed Bug 1822305 Opened 2 years ago Closed 2 years ago

Block the fullscreen notification on Android using external protocol prompt

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Version:
Firefox 111
Platform:
Other
Android
Type:
defect

Tracking

(firefox111 wontfix, firefox112 fixed, firefox113 fixed)

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox111 --- wontfix
firefox112 --- fixed
firefox113 --- fixed

People

(Reporter: haxatron1, Assigned: petru)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

fullscreen-bypass.html
95 bytes, text/html
Details
mobizen_20230314_213705.mp4
1.26 MB, video/mp4
Details
advisory.txt
12 bytes, text/plain
Details
Attached file fullscreen-bypass.html

The new external protocol prompt on Android seems to be asynchronous. Therefore it is possible to trigger a keyboard and the external protocol prompt and fullscreen at the same time which causes the fullscreen popup to be covered.

  1. Go to fullscreen-bypass.html
  2. Click the input bar
Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
OS: Unspecified → Android
Product: Firefox → Fenix
Hardware: Unspecified → Other
Version: unspecified → Firefox 111

The solution should be if any prompt is encountered, Firefox should exit fullscreen as per Firefox for Desktop and Chrome for Android / Desktop does.

Thank you!
Seems like a variation of an already reported issue regarding this prompt in bug 1821576.
Would be fixed with the same approach as on bug 1816059.

status-firefox112: --- → affected
status-firefox113: --- → affected
Depends on: CVE-2023-29534
See Also: → 1821576

This bug should bs fixed too

Thank you for the confirmation!

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox112: affectedfix-optional
status-firefox113: affectedfixed
Resolution: --- → FIXED
Assignee: nobody → petru.lingurar
Group: mobile-core-security → core-security-release
status-firefox111: --- → wontfix
status-firefox112: fix-optionalfixed
Target Milestone: --- → 113 Branch

As we expected, this did turn out to be fixed by the redesigned mechanism in bug 1816059 making this essentially a dupe for purposes of the bug bounty.

Flags: sec-bounty? → sec-bounty-
Attached file advisory.txt
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: