Closed Bug 1876595 Opened 1 year ago Closed 9 months ago

Date picker is Able to Overlap Fullscreen Notification

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 129+ fixed
firefox129 + fixed

People

(Reporter: fazim.pentester, Assigned: canadahonk)

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

poc.html
787 bytes, text/html
Details
demo.mp4
605.51 KB, video/mp4
Details
test-1876595.mp4
454.19 KB, video/mp4
Details
Attached file poc.html

By utilizing the Date picker, Firefox fullscreen notifications can be obscured. Below is a proof of concept where the attacker site requests the user to click to launching the Date picker above the fullscreen notification and thereby spoofing the browser.

Steps to Reproduce:

  1. Download the poc.html file.
  2. Open the poc.html file in firefox for testing.
Flags: sec-bounty?
Attached video demo.mp4
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Keywords: csectype-spoof
Product: Firefox → Core

It's not great that we let things float on top of that banner generally, but this widget doesn't obscure what is happening

Keywords: sec-low

Covers the part of the text fullscreen neatly. If possible to launch 2 similar widgets together, could completely cover the banner, but I am not sure if it's possible.

The severity field is not set for this bug.
:edgar, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(echen)

I think this case could be fixed after bug 1877969.
(Set severity to S2 as bug 1877969 is S2)

Severity: -- → S2
Flags: needinfo?(echen)

Moving to S3 per the security rating for this particular case. We will revisit and verify this after the S2 bug 1877969.

Severity: S2 → S3

Hi Dan,

It seems this issue is fixed by Bug 1903187 (just saw it in the advisory). I don't mind duplicating it into that issue, but I would like to know if this qualifies for a bounty and if we can also classify it as sec-medium since the similar bug is also sec-medium.

Flags: needinfo?(dveditz)

(Canceling previous comment. Not the same issue. It seems this issue is fixed.)

Hi Hasin-Yi,

Can you verify if this issue is fixed? Thank you.

Flags: needinfo?(dveditz) → needinfo?(htsai)
Attached video test-1876595.mp4

Tested on the latest nightly version 131.0a1 (2024-08-06) (64-bit) on Windows 11.

(In reply to Shaheen Fazim from comment #9)

Created attachment 9418113 [details]
test-1876595.mp4

Tested on the latest nightly version 131.0a1 (2024-08-06) (64-bit) on Windows 11.

I verify that I saw the same behavior on my Windows 11 machine, when using Nightly 131. The issue is fixed. Thank you.

Status: NEW → RESOLVED
Closed: 9 months ago
Flags: needinfo?(htsai)
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty-
Assignee: nobody → omedhurst
Group: dom-core-security → core-security-release
Target Milestone: --- → 129 Branch
Assignee: omedhurst → nobody
Assignee: nobody → omedhurst
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: