Closed Bug 1909163 Opened 1 year ago Closed 1 year ago

Select option appears in different origin if user manually opens a new tab with the keyboard or the webpage is allowed popups (window.open)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
131 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 130+ verified
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 + verified
firefox131 + verified

People

(Reporter: sas.kunz, Assigned: Gijs)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [adv-main130-][adv-esr128.2-][client-bounty-form])

Attachments

(6 files, 1 obsolete file)

bandicam 2024-07-22 14-49-29-358.mp4
2.44 MB, video/mp4
Details
sf.html
2.90 KB, text/html
Details
Bug 1909163 - mark select dropdown as tabspecific, r?emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 1909163 - make select dropdowns more properly tabspecific, r?emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 1909163 - make select dropdowns more properly tabspecific, r?emilio
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1909163 - mark select dropdown as tabspecific,
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review

after https://bugzilla.mozilla.org/show_bug.cgi?id=1875354 is fixed the select option will close in a new window or new tab but this can be bypassed by pressing ctrl + t (opens a new tab)

steps to reproduce

  1. open sf.html
  2. click on "click me"
  3. press Ctrl + T to new tab

OS: windows 10

Flags: sec-bounty?
Attached file sf.html

Firefox version : Nightly 130.0a1 (2024-07-21) (64-bit)

This is trivially fixable by using tabspecific=true on the ContentSelectDropdown element.

Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → Desktop
See Also: → CVE-2024-7518
Summary: Select option appears in different origin lead to spoof → Select option appears in different origin if user manually opens a new tab with the keyboard or the webpage is allowed popups (window.open)
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED

This doesn't seem that bad to me. The interaction is a bit weird, and I don't see how you are confusing people much by having it on top of the about:new tab page, so the user would have to have a custom page, which of course the attacker can't tell.

Severity: -- → S3
Keywords: csectype-spoof, sec-low
See Also: → 1907032

https://hg.mozilla.org/mozilla-central/rev/022b864d080d

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox128: --- → wontfix
status-firefox129: --- → wontfix
status-firefox130: --- → fixed
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

Thank you for reporting this variation. As a sec-low bug it does not qualify for our bounty unfortunately

Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
Flags: qe-verify+
QA Whiteboard: [post-critsmash-triage]

Please nominate this for ESR128 approval when you get a chance.

Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9419867 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: Spoofing/confusion around select popups
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: see comment 0
  • Risk associated with taking this patch: low
  • Explanation of risk level: single attribute on the select dropdown
  • String changes made/needed: no
  • Is Android affected?: no

Comment on attachment 9419867 [details]
Bug 1909163 - mark select dropdown as tabspecific, r?emilio

So digging into this, I'm realizing this patch doesn't actually work.

Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9419867 - Flags: approval-mozilla-esr128?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #9419867 - Attachment is obsolete: true
Pushed by gijskruitbosch@gmail.com: https://hg.mozilla.org/integration/autoland/rev/da046994a08d make select dropdowns more properly tabspecific, r=emilio
Target Milestone: 130 Branch → ---

https://hg.mozilla.org/mozilla-central/rev/da046994a08d

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
status-firefox131: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch
Attachment #9420022 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: spoofy select dropdowns
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: see comment 0
  • Risk associated with taking this patch: low
  • Explanation of risk level: minor changes to select popup attributes
  • String changes made/needed: no
  • Is Android affected?: no
Attachment #9420022 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage] [qa-triaged]

I managed to reproduce the issue on Firefox 129.0.2, under Windows 11.
The issue is no longer reproducible on Firefox 130.0b8(treeherder build), or on Firefox 131.0a1.
Tests were performed under Windows 11x64, macOS 10.15 and Ubuntu 22.04.

Status: RESOLVED → VERIFIED
status-firefox130: fixedverified
status-firefox131: fixedverified
Flags: qe-verify+
Attachment #9420417 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: Confusing select dropdowns
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: See earlier comments
  • Risk associated with taking this patch: Low
  • Explanation of risk level: Minor JS changes, already verified in nightly
  • String changes made/needed: No
  • Is Android affected?: no
Flags: qe-verify+
Attachment #9420417 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

Managed to verify the issue on Firefox 128.2.0ESR on Windows 10 and Windows 11.

status-firefox-esr128: fixedverified
Flags: qe-verify+
Whiteboard: [client-bounty-form] → [adv-main130-][adv-esr128.2-][client-bounty-form]

The Select Element didn't support showPicker() until bug 1854112

status-firefox-esr115: wontfixunaffected
See Also: → CVE-2024-8386
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: