#VU64750 Improper Restriction of Rendered UI Layers or Frames in Mozilla Firefox


Vulnerability identifier: #VU64750

Vulnerability risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34479

CWE-ID: CWE-1021

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper handling of resizing event for a popup window. A remote attacker can create a specially crafted website that can create a resized popup to overlay the address bar with its own content and perform spoofing attack.

Note, the vulnerability affects Linux installations only.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 90.0 - 101.0.1

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2022-24/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Monitoring
Multiple vulnerabilities in IBM Application Performance Management
Oracle Solaris update for third-party software
SUSE update for MozillaFirefox
SUSE update for MozillaThunderbird
SUSE update for MozillaFirefox
SUSE update for MozillaFirefox
Gentoo update for Mozilla Thunderbird
Gentoo update for Mozilla Firefox
CentOS 7 update for firefox