Race condition in Mozilla Firefox

#VU52339 Race condition in Mozilla Firefox

Published: 2021-04-19

Vulnerability identifier: #VU52339

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-24000

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to perform clickjacking attack.

The vulnerability exists due to a race condition within requestPointerLock() and setTimeout() methods in conjunctions with certain elements, such as <input type="file">. A remote attacker can create a specially crafted web page that will result in a situation where a user interacting with one tab when they believed they were on a separate tab and gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0 - 87.0

CPE

cpe:2.3:a:mozilla:mozilla_firefox:87.0:*:*:*:*:*:*:*

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2021-16/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Arch Linux update for firefox

Ubuntu update for firefox

Multiple vulnerabilities in Mozilla Firefox and Firefox ESR