1940162 - (CVE-2025-1019) reportValidity to steal window focus able to overlap fullscreen notification toast

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Irvan Kurniawan [:sourc7]]

Attachment: xtestcase.bundle.html

When user on web page A window, then other web page B trigger JS reportValidity, the web page B window able to steal focus from page A window.

After launching both site in popup window, then trigger reportValidity repeatedly, it able to steal window focus to overlap fullscreen notification toast on Windows 11.

Tested works on Firefox 134.0 (64-bit) and Firefox Nightly 135.0a1 (2025-01-06) (64-bit) on both my laptop Intel i5-1035G and desktop PC.

When running mozregression, it show it is a regression of Bug 1922956 - Further clean-up widget creation code-paths

Steps to reproduce:

1. Visit attached xtestcase.bundle.html
2. Click "Launch Opener Window"
3. Click "Launch Fullscreen Window"
4. Click anywhere inside the page
5. Opener Window shown at the top of fullscreen notification toast

(If still doesn't work, I found a trick by right click before "Launch Fullscreen Window", it will works all the time; on the attached video I perform that without the right-click)

1. Visit attached xtestcase.bundle.html
2. Click "Launch Opener Window"
3. When you see "Launch Fullscreen Window"
4. Right click
5. Left click "Launch Fullscreen Window"
6. Left click anywhere inside the page
7. Opener Window shown at the top of fullscreen notification toast

Comment 1

[Irvan Kurniawan [:sourc7]]

Attachment: reportValidity steal window focus to overlap fullscreen notification toast.mp4

Comment 2

[Irvan Kurniawan [:sourc7]]

Attachment: reportValidity steal window focus with right-click method.mp4

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Setting Regressed by field after analyzing regression range found by mozregression in comment #0.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

:emilio, since you are the author of the regressor, bug 1922956, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 5

[Daniel Veditz [:dveditz]]

This regression reintroduces CVE-2022-22746.

It looks like the notification bar isn't even being shown, not that it's being covered up. If you repeatedly hit ESC to leave fullscreen and then click on the popup to re-enter fullscreen you will never see the notification on any transition. At that point the window that had the reportValidity check could have been closed, and in any case isn't re-activating the validity check.

Comment 6

[Emilio Cobos Álvarez [:emilio]]

I was confused as well because I didn't see the fullscreen notification anymore, but that's a more recent regression, see bug 1940698.

Comment 7

[Emilio Cobos Álvarez [:emilio]]

Attachment: Bug 1940162 - Use SWP_NOOWNERZORDER when showing popups. r=#win-reviewers

So as to avoid raising the owner window to the front. That's the
intention of the code given the comment, but it needs this flag to work.

Comment 8

[Emilio Cobos Álvarez [:emilio]]

So the fullscreen warning is fixed in bug 1940698 (regressor was backed out of beta).

The remaining issue is a z-ordering issue that can be observed with a page like this:

<!doctype html>
<input id="targetElement" autofocus="true" style="opacity: 0">
<button onclick="setTimeout(triggerReportValidity, 4000);">Report in a bit</button>
<script>
targetElement.setCustomValidity("Please wait while we redirecting to page..")
function triggerReportValidity() {
    targetElement.reportValidity()
}
</script>

STR would be:

• Open that page.
• Click the button.
• Press Ctrl+N to create a new window.

ER:

• The new window is still in the foreground

AR:

• The old window gets raised.

That's fixed by the patch I just attached.

Comment 9

[Ray Kraesig [:rkraesig]]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #8)

ER:

• The new window is still in the foreground

AR:

• The old window gets raised.

I can't reproduce using this STR in 136.0a1 (2025-01-07): the new window remains in the foreground.

I can, however, still use the second STR in comment 0. (I've confirmed the patch fixes it.)

Comment 10

[Emilio Cobos Álvarez [:emilio]]

The sec-high was on the assumption that the fullscreen notice was not being shown, but that's an unrelated regression. Is this still sec-high?

Comment 11

[Emilio Cobos Álvarez [:emilio]]

Comment on attachment 9446528 [details]
Bug 1940162 - Use SWP_NOOWNERZORDER when showing popups. r=#win-reviewers

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Not too much I think?
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta+release
• If not all supported branches, which bug introduced the flaw?: 1922956 (kinda, it exposed a pre-existing bug)
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?: should apply cleanly or be trivial to rebase
• How likely is this patch to cause regressions; how much testing does it need?: Relatively unlikely? It's making Windows do less to the z-order of our windows...
• Is the patch ready to land after security approval is given?: Yes
• Is Android affected?: No

Beta/Release Uplift Approval Request

• User impact if declined/Reason for urgency: sec issue
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: comment 0 and/or comment 8
• List of other uplifts needed: none
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): See above
• String changes made/needed: none
• Is Android affected?: No

Comment 12

[Tom Ritter [:tjr] (OOTO Oct 18-26)]

Comment on attachment 9446528 [details]
Bug 1940162 - Use SWP_NOOWNERZORDER when showing popups. r=#win-reviewers

approved to land

Comment 13

[Andrew McCreight [:mccr8]]

(In reply to Daniel Veditz [:dveditz] from comment #5)

This regression reintroduces CVE-2022-22746.

While in 2022 we were rating fullscreen issues sec-high, in the last few years we have started rating them sec-moderate, so I'm going to adjust the rating here. See here.

Comment 14

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3222d6c111d6
Use SWP_NOOWNERZORDER when showing popups. r=win-reviewers,rkraesig

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/3222d6c111d6

Comment 16

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9446528 [details]
Bug 1940162 - Use SWP_NOOWNERZORDER when showing popups. r=#win-reviewers

Approved for 135.0b4.

Comment 17

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/0eed78611079

Comment 18

[Bogdan Maris, Desktop Test Engineering]

Reproduced the issue using an old Nightly build from 2024-01-10 using the testcase from the comment 0 but not comment 8, verified that using latest Nightly 136.0a1 and Latest Beta 135.0b4 across platforms (Windows 11, macOS 13 and Ubuntu 22.04) this issue is no longer reproducible.

Comment 19

[Tyson Smith [:tsmith]]

Attachment: advisory.txt