#VU55686 Insufficient UI Warning of Dangerous Operations in Mozilla Firefox


Published: 2021-08-10

Vulnerability identifier: #VU55686

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-29987

CWE-ID: CWE-357

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way Firefox displays permission panels. After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to.

Note, the vulnerability affects Linux installations only.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0 - 90.0.2

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2021-33/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for MozillaFirefox
SUSE update for MozillaFirefox
Gentoo update for Mozilla Firefox
SUSE update for MozillaThunderbird
SUSE update for MozillaFirefox, rust-cbindgen
SUSE update for MozillaFirefox
SUSE update for MozillaFirefox
SUSE Linux Enterprise Server 11 update for Mozilla Firefox
SUSE update for MozillaFirefox
Arch Linux update for firefox